1. Cyber Security Concepts Flashcards

Question

Your organization’s reputation is staked on a book it publishes yearly. When you perform data classification, how should you classify this book and its contents? A)intellectual property B)corporate confidential data C)PHI D)personally identifiable information

Answer 1

~]Intellectual property is a tangible or intangible asset to which the owner has exclusive rights. Intellectual property law is a group of laws that recognizes exclusive rights for creations of the mind. This includes books and music.

Answer 2

Personally identifiable information (PII) is any piece of data that can be used alone or with other information to identify a single person.

Answer 3

Personal health information (PHI) is the medical records of individuals and must be protected in specific ways as prescribed by the regulations contained in the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

Answer 4

Corporate confidential data includes trade secrets, intellectual data, application programming code, and other data that could seriously affect the organization if unauthorized disclosure occurred. The book contains corporate data, but it cannot be considered confidential if it is released into the public space every year.

Answer 5

The Payment Card Industry Data Security Standard (PCI DSS) affects any organizations that handle cardholder data (CHD) for the major credit card companies. The latest version of the standard is 4.0. To prove compliance with the standard, an organization must be reviewed annually.

Answer 6

A Security Information and Event Management (SIEM) system collects data from the different security devices in the system, such as firewalls and IPSes, and then aggregates the log files for analysis. It provides predictive trend analysis, behavior analytics, alerts, and even helps you comply with regulations like SOX and HIPAA. Automated alerting and triggers are SIEM features that allow the system to react based on predetermined criteria.

Answer 7

A Security Orchestration, Automation, and Response (SOAR) playbook is a checklist of incident response steps to be performed when an incident occurs. In Microsoft Azure, the Azure Sentinel service has playbooks that automate and orchestrate responses to threats. You can configure a playbook to run manually or automatically in response to specific alerts or incidents that are triggered by an automation rule.

Answer 8

Endpoint Detection Response (EDR) is designed to supplement existing systems. It focuses on a proactive versus reactive approach for the detection and prevention of threats before they can attack the organization.

Answer 9

WHOIS is a service that can be used to identify details on the owner of a website.

Answer 10

A Distributed Denial of Service (DDoS) is the vulnerability that has infected the workstation computers. The workstations will now act as zombies to carry out the attack on a single server. Spyware enables an attacker to obtain information about another's computer activities by transmitting data covertly from their hard drive. Ransomware is malicious software that blocks access to a computer system until a sum of money is paid. An advanced persistent threat (APT) is an attack in which an unauthorized user accesses a network and stays there undetected for a long period of time with the intention of stealing data.

Answer 11

OpenVAS is a vulnerability scan tool. Other vulnerability scanning tools include Qualys, Nessus, OpenVAS, Nexpose, and Nikto.

Answer 12

Fuzzers include Untidy, Peach Fuzzer, and Microsoft SDL File/Regex Fuzzer With fuzzing, random data is run against your test in an attempt to find vulnerabilities or crash-causing inputs. Some examples of vulnerabilities that can be found by fuzzing are SQL injection, buffer overflow, denial of service and cross-site scripting attacks.

Answer 13

Interception proxies include Burp Suite, ZAP, and Vega

Answer 14

Packet capture tools include Wireshark, tcpdump, Network General, and Aircrack-ng.

Answer 15

Containerization is similar to building a system image, but for applications. It is an application development model that stores everything needed to run that application in an executable image. All of the libraries, binaries, configuration info, etc., are stored in the container.

Answer 16

Serverless is an application development model that provides developers the opportunity to build and run applications in the cloud, without the added responsibility of having to maintain servers.

Answer 17

Federation allows customers of different cell phone services to communicate with each other. While each network has its own infrastructure, devices such as routers and gateways as well as network services are uniformly configured to a common standard. In general, federation allows members of disparate networks to communicate with each other.

Answer 18

The tool shown is Wireshark, which is a packet analyzer. Packet analyzers are also called sniffers or protocol analyzers. This type of tool captures traffic on the network.

Answer 19

Serverless is an application development model that provides developers the opportunity to build and run applications in the cloud, without the extra responsibility of having to maintain servers on premises.

Answer 20

Secure Access Service Edge (SASE) is used to ensure security in a software-defined wide area network (SD-WAN) environment, particularly in a cloud environment. SASE is often associated with the zero-trust model.

Answer 21

You should implement a honeypot. Honeypots are systems that are configured to be attractive to hackers and lure them into spending time attacking them while information is gathered about the attack.

Answer 22

Zero-trust architecture consists of a Policy Engine, a Policy Administrator, and a Policy Enforcement Point. The goal of zero trust is to continuously monitor the authentication and authorization of devices, users, and processes. The Policy Engine is responsible for granting or denying access based primarily on policy, but other factors can be taken into consideration. The Policy Administrator decides to open or close the communication path from the requestor to the resource, based on the decision of the Policy Engine. The Policy Enforcement Point establishes and terminates the connections.

Answer 23

Netstat (network statistics) is a TCP/IP utility that you can use to determine the computer's inbound and outbound TCP/IP connections. Used without parameters, it displays a list of the current connections and their listening ports, including the protocol (TCP or UDP), local IP address and port, foreign IP address and port, and connection state. When connections to unexpected ports are suspected, netstat can be used to identify the origin of any connections to the ports in question. Newer versions of LINUX do not support netstat. In those versions, use the ss (socket statistics) command. To see all current TCP connections and their listening ports, you would run the ss – lt command, as shown below: mcmillan@server69:~$ ss -lt State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:7080 *:* LISTEN 0 128 *:6032 *:* LISTEN 0 128 *:http *:* LISTEN 0 128 *:6033 *:* LISTEN 0 128 *:6033 *:* LISTEN 0 128 *:6033 *:* LISTEN 0 128 *:6033 *:* LISTEN 0 128 *:ssh *:* LISTEN 0 128 *:https *:* LISTEN 0 128 :::ssh :::*

Answer 24

Issuing nbtstat at a Windows command prompt will show NetBIOS information.

Answer 25

Issuing tracert at a Windows command prompt will trace the route a packet takes from the source computer to the destination host. Traceroute is the Linux equivalent of the tracert command.

Answer 26

While paid security feeds are valuable, they are not considered open source, rather they are considered closed source because they are not available to everyone at no cost. They are proprietary and paid, and therefore considered closed-source intelligence. Social media sites, blogs, and forums can be used to gather threat intelligence, especially when steps have not been taken to keep the organization’s sensitive data off the social media site. Since these public sites are available to all, any information useful to an attacker that is gathered from these sources is open-source intelligence. Blogs and forums can also be sources of threat intelligence when bloggers and forum writers reveal more than they should about an organization’s information. Since these sites are available to all, this is open-source intelligence. Government bulletins are a good source of the details of the latest known attacks and attack approaches. Since these bulletins are available to all, this is open-source intelligence.

Answer 27

You should recommend integrating webhooks into the application that will automatically update the trial version to the paid version when the payment is successfully processed. The webhook will be triggered when the payment processor notifies the application that the payment is complete, and not in scenarios where the payment fails to process or the payment session times out.

Answer 28

An application programming interface (API) is a web service that enables your application to interact with a database, other applications, and other platforms. Your application can be your SaaS product or an e-commerce website. While an API can be used for functions such as displaying dynamic data in your application (in which the API is called to fetch the information from the database and display it) it cannot be used to upgrade pr update an application version.

Answer 29

Plugins are small reusable components or programs that can be added to your web applications for additional functionality. For example, when you add WordPress plugins to your WordPress website it enhances the web application’s functionality. In this scenario, plugins cannot be used to automate the subscription upgrade upon payment.

Answer 30

An applet is a small program that is coded to perform specific function in an application. Applets are mostly associated with Java programming language. Applets provides limited functionality and cannot be used to automate the subscription upgrade upon payment.

Answer 31

AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the Internet by providing a central blacklist for webmasters, system administrators, and other interested parties to report and find IP addresses that have been associated with malicious activity online. Like the WHOIS database, which can be searched for DNS domains with a bad reputation for sending malicious traffic, AbusePBD reports on IP addresses and ranges of addresses with a bad reputation for engaging in hacking attempts or other malicious behavior.

Answer 32

Strings is a utility that searches an executable for ASCII and Unicode strings. It ignores context and formatting, so it can analyze any file type and detect strings across an entire file (although this also means that it may identify bytes of characters as strings when they are not).

Answer 33

VirusTotal checks the hash values of a suspect file against those in online and offline malware databases. Further examination is made easier as a result of this procedure, which reveals more about the code's functioning and other important data.

Answer 34

Joe Sandbox detects and analyzes potential malicious files and URLs on Windows, Android, macOS, Linux, and iOS for suspicious activities. It performs deep malware analysis and generates comprehensive and detailed analysis reports.

Answer 35

While it is true that security initiatives, such as a vulnerability scan, must create value that exceeds the cost, the cost of obtaining the scan results is not a consideration when establishing the confidence level in the findings. The accuracy of the results is perhaps the most important consideration when establishing the confidence level. Inaccurate results can lead to wasted effort on noncritical issues, while more critical issues are left unaddressed. The relevance of the results is also consideration when establishing the confidence level because in some cases results may indicate an issue that, while present, is irrelevant. For example, a missing patch for SQL Server is irrelevant when the organization uses Oracle. Finally, the timeliness of the results is a consideration. Older data may be less valuable than more recent data because there is more time to react to a new issue, while it may be that nothing can be done about an older issue.

Answer 36

Security information and event management (SIEM) software can collect logs from specified devices, combine the logs, and analyze the combined logs for security issues. By doing so, they can identify attacks that would be more difficult to identify otherwise.

Answer 37

One option for studying malware is to set up a sheep dip computer. This is a system that has been isolated from the other systems and is used for analyzing suspicious files and messages for malware.

Answer 38

A SOAR solution does not analyze collected data to identify patterns, then automatically assess and trigger alerts for action and response. These functions are performed by a Security Incident and Event Management (SIEM) solution. SIEM technology collects event log data from a range of sources, identifies activity that deviates from the norm with real-time analysis, and takes appropriate action.

Answer 39

SOAR is a software technology platform that enables organizations to collect relevant data about security threats and respond to security events with minimal human intervention. SOAR platforms combine three components: Security orchestration Security automation Security response

Answer 40

A SOAR solution has the following capabilities: Provides a fully automated workflow from alert validation through playbook activation. Creates a knowledge base and helps the organization avoid and manage security threats. Receives alerts about security incidents and responds automatically to the incident.

Answer 41

SOAR provides advanced threat protection and acts as a vital component of security operations across various divisions of the organization. Organizations use SOAR to monitor threat investigations and responses, for security intelligence management, and for security operations center (SOC) optimization. SOAR helps organizations improve the efficiency and effectiveness of their security operations by: Improving response time to security incidents Facilitating the investigation process Integrating disparate threat protection technologies into a unified dashboard Minimizing the impact caused by attacks Managing and reporting security threats Visualizing meaningful information through dashboards Reducing operating costs

Answer 42

SOAR is designed to automate and orchestrate incident response processes, streamlining workflows and enabling faster responses to security incidents. Conversely, SIEM primarily focuses on collecting, analyzing, and correlating security event data to provide insights and detect threats in real-time.

Answer 43

The attack described has all the elements of an advanced persistent threat (APT). An APT is a hacking process that targets a specific entity and is carried out over a long period of time. In most cases, the victim of an APT is a large corporation or government entity. The attacker is usually a group of organized individuals or a hostile government. In an APT, the attackers have a pre-defined objective, such as a specific asset belonging to your organization (including smartcard credentials, control of social media logins, a database of PII, and so on). Once the objective is met, the attacks stop. APTs can often be detected by monitoring logs and network performance metrics.

Answer 44

A passive attack is one in which the attacker only captures information but does not take any actions or send any data on the network. APT attacks are active attacks in which actions are taken by the attacker. However, APTs typically begin with passive reconnaissance.

Answer 45

A Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA) system uses a graphic, which is difficult for a bot to read but not a human, to ensure that bots (automated process used by hackers to create accounts) are not allowed to create accounts.

Answer 46

A Request for Comments (RFC) is often issued when a new technology or practice is suggested within the industry. It represents a call for peer review on the subject. RFCs are administered and issued by various bodies, among them the Internet Engineering Task Force (IETF) and the National Institutes of Standards and Technology (NIST).

Answer 47

TTP stands for tactics, techniques, and procedures and is a concept that is used to identify patterns of behavior that can be employed to defend against certain strategies and threat vectors utilized by malicious actors.

Answer 48

Structured Threat Information eXpression (STIX) defines a common language for discussion threat intelligence and serializes it into a coherent format. It is a tool for spreading information about vulnerabilities, and not a research source.

Answer 49

TAXII stands for Trusted Automated eXchange of Indicator Information. It was designed to specifically support STIX by defining how cyber-threat information can be shared via services and message exchanges. STIX and TAXII are both tools for sharing research, not research sources.

Answer 50

Steganography is the process of removing some bits of information about a graphic and inserting data that you want to hide in place of the missing graphic information. This swapping does not typically have a noticeable effect on the graphic, but it allows the sender to hide data that can be extracted later via the same application used to insert it into the graphic. The best defense against steganography is to periodically scan PCs for questionable software. The presence of steganography software on any system should be prohibited unless it is specifically required for business purposes.

Answer 51

This is not double tagging. Double tagging is an attack that allows a malicious individual to access a VLAN for which they are not a member. Double-tagging attacks can be prevented by keeping the native VLAN of the trunk ports different from the user VLANs.

Answer 52

This is not masquerading. Masquerading is when a single public IP address is used by all interior devices when accessing the Internet. This is done by deploying Network Address Translation (NAT). It is called NAT because none of the devices will reveal their private IP address to the outside world.

Answer 53

Changes to the registry or anomalies in the registry settings is a host-related issue, as these settings affect the entire system.

Answer 54

Anomalous activity, such as an application shutting down unexpectedly, is an application-related issue. When new accounts for an application appear, it is an application-related issue. It is also an indication of a serious security issue, as adding accounts probably requires administrator rights. When a program begins to display unexpected output, such as a strange new dialog box, it is an indication of an application-related security issue. In many cases this is an indication that a malware infection has occurred.

Answer 55

You are implementing endpoint security. Endpoint security involves protecting the endpoints (workstations, printers, and so on) in the network, including protecting them from other endpoints that spend at least some of the time outside the LAN. This is done by verifying patches and updates before the device is allowed access to the network. Endpoint security also includes the process of hardening endpoints.

Answer 56

You are not implementing a sinkhole. A sinkhole is a routing mechanism that can route traffic from a device being flooded to a location where the traffic can be studied.

Answer 57

A SYN flood is a denial-of-service (DoS) attack that originates from outside the network. It has nothing to do with social engineering.

Answer 58

While all of these issues should be a concern, when heavy bandwidth consumption is detected in the network the most likely cause is a denial-of-service (DoS) attack. High bandwidth usage is the key symptom of a DoS attack. The best course of action is to identify the source of the traffic and block it at the firewall. Going forward, you should prevent all traffic from outside the network that uses a source address that is a private address, keep all anti-malware up to date, and ensure that users are trained in safe practices.

Answer 59

A buffer overflow would not typically cause a surge in bandwidth usage. When these attacks occur, the device usually crashes. A symptom of buffer overflow is a device suddenly becoming unavailable. If this occurs, then all web applications in the device should be checked for proper input validation. A buffer overflow attack typically involves violating programming languages and overwriting the bounds of the buffers they exist on. Most buffer overflows are caused by the combination of manipulating memory and mistaken assumptions around the composition or size of data.

Answer 60

Infrastructure as code (IaC) is the process of using definition and configuration files to provision and manage data centers. Automating this process through scripts can ensure that there is more control and less opportunity for error when deploying servers, as compared with manual configuration. IaC is the foundation for Secure DevOps. Secure Development Operations (Secure DevOps) means that security is built into all your development operations.

Answer 61

Waterfall is a development framework that uses tightly defined processes that are executed in a linear sequence.

Answer 62

Agile is a cyclical methodology where development phases are iterative, and each cycle moves the project a little closer to the final product.

Answer 63

Immutable systems are those where the configuration is static and may not be changed.

Answer 64

Single sign-on (SSO) is not associated with PKI. It is a process that allows users to log on once to the network and thereafter not be required to issue another password to access resources. Certificate authority (CA) is an element of PKI. The CA validates the entities identified in the certificate. The registration authority (RA) authorizes certificates. The RA validates the user request for a certificate and directs the CA to issue the certificate. The certificate store is used by applications running on a system to retrieve stored certificates, certificate trust lists, and certificate revocation lists. Another element of PKI is the certificate database. This database stores information about the certificate, as well as the validity status and the validity period.

Answer 65

Part of risk management is identifying mitigations, called controls, to address issues. Examples of the types of controls are: Preventative controls: controls that stop something from occurring, such as locks. Managerial controls: controls that specify acceptable practices within an organization, such as acceptable use policies. Corrective controls: controls put in place to reduce the effect of an attack or other undesirable event, such as backups.

Answer 66

If a user modifies a browser's security settings to make it more convenient to visit websites, such as turning off pop-up blockers and anti-phishing controls, this is an example of a weak configuration. Misconfiguration and weak configurations can have a severe impact on the entire organization. Misconfiguration, such as not changing the default administrative user name or password, can also have a significant impact.

Answer 67

Improper error handling could allow an attacker to crash a program. Error checking should be built into every module or code function. An error should not result in a crashed application but rather generate an error message. Systems and components, such as routers, should never be deployed with the default configuration enabled. As an example, many small office/home office (SOHO) users are thrilled that they got their new wireless network to finally communicate "out of the box." As a result, they do not change the default administrator information, leaving their network wide open for attack.

Answer 68

Privileged access management (PAM) is a process that provides extra protection for roles above the level of regular users, such as an administrator or a service account. If an account that is assigned special access is compromised, that breach can have a more significant impact than a breach of a regular user’s account.

Answer 69

Secure Access Service Edge (SASE) has Firewall as a Service (FWaaS) as one of its components. Other components include secure web gateways (SWG), a cloud access security broker (CASB), and zero trust network access (ZTNA). SASE is used to ensure security in a software-defined wide area network (SD-WAN) environment, particularly in a cloud environment. SASE is often associated with the zero-trust model.

Answer 70

Software-defined networking (SDN) allows for dynamic reconfiguration of a network as a reaction to changes in volume, types of traffic, and security incidents.

Answer 71

FTK will satisfy the requirement of needing a forensic suite tool. Burp Suite and Zed Attack Proxy (ZAP) are interception proxy tools. Another interception proxy tool is Vega. DD is an imaging tool. While this type of tool is considered a forensics tool, it does not provide a forensic suite because it performs only one function, which is imaging.

Answer 72

Preventative – includes tools that provide intrusion prevention system (IPS), firewall, antivirus, anti-malware, Enhanced Mitigation Experience Toolkit (EMET), web proxy, and web application firewall services.

Answer 73

Collective – includes tools that provide network scanning, vulnerability scanning, security information and event management (SIEM), packet capture, and intrusion detection system (IDS) services.

Answer 74

Analytical – includes tools that provide vulnerability scanning, monitoring, and interception proxy services.

Answer 75

Exploit – includes tools that provide interception proxy, exploit frameworks, and fuzzer services.

Answer 76

Forensics – includes tools that provide forensics, hashing, password cracking, and imaging services.

Answer 77

User behavior analysis and analytics will be of no help when a hacker breaks the key to a hashed password, which is one that has had a message digest value generated using a hashing algorithm like SHA. If the message digest value is identified, the hacker will be able to identify the password. You cannot directly turn a hashed value into the password, but you can work out what the password is if you continually generate hashes from passwords until you find one that matches. Any abnormal user behavior can be evidence of a system compromise. Examples include: Editing of user groups or other abnormal account activity Communication attempts from unusual geographic locations or impossible travel User activity at odd hours

Answer 78

Webhooks would not be suitable for deleting or updating data on other systems or databases. An API is the interface of the application that permits other programs or applications to request, input, delete, or update data in the application. A webhook uses an HTTP POST message to communicate from one application’s API to another application’s API. The communication is triggered in response to a user-defined event that occurs in the webhook’s application. APIs and webhooks are used to accomplish similar goals, but in different ways. While APIs programmatically direct an entity to create an order, webhooks inform an API that an event has occurred. The message is used to trigger an action in response, such as sending an email or creating a calendar event.

Answer 79

Webhooks are suitable in number of scenarios, which include but are not limited to: Notifying the customer support team when customers raise a payment dispute. Automatically sending invoices to accounting department after customers pay via an e-commerce platform. Sending an email to a developer to request a fix for a non-urgent issue. Webhooks are used to automate workflows. Other real-world scenarios where webhooks can be used would include: Notifying an agent in a chat application when a query is sent in the chatbot engine. Automatically sending an email to a marketing team via customer relationship management (CRM) software when a customer makes a purchase or exits a shopping cart without buying. Receiving automatic email reminder notifications from your calendar application on your phone. Automatically uploading photos from one social media platform to another, such as from Instagram to Twitter.

Answer 80

Commercial (private) threat data feeds are a good source of threat intelligence, but they are not considered open source because they are only available to paid partners. Threat intelligence can also sometimes be obtained from internal sources such as the organization’s cybersecurity response team, but these are not considered open source because they are not available to all.

Answer 81

High memory consumption is considered a host-related symptom. It typically indicates the presence of malware. Host-related symptoms are those related to use of resources on the host that will be recorded in the local logs of a device. Unusual processor or memory consumption could be determined by using a resource monitor on the device. If either of these symptoms occur, then you should suspect a malicious process is using the processing resources or memory. The best course of action is to scan the device for malware. Common host-related symptoms include unusual processing consumption, memory consumption, or drive capacity consumption; unauthorized software and malicious processes; unauthorized changes and privileges; and data exfiltration. Issues with drive capacity consumption could also be determined by using a resource monitor on the device. When this symptom occurs, you should suspect that some malicious process is filling the drive as part of a DoS attack. Again, the best course of action is to scan the device for malware. Unauthorized software could be detected with a vulnerability scan that identifies unauthorized software. When discovered, you should suspect that a malicious individual has compromised the device, even if the unauthorized software is not classified as malware. Some legitimate third-party software has known vulnerabilities that put your entire network at risk if it is installed. The best course of action is to re-image the device using the latest snapshot, if available. To ensure security, you should use a policy that prevents the installation of unauthorized software and ensure that users are trained in safe practices. Malicious processes could be detected by using a tool like Process Explorer. You should suspect the presence of malware if you notice unusual processor, memory, or drive capacity usage on a host. The best course of action is to scan the device using anti-malware software. If you are unable to remove the malicious software, you should re-image the device using the latest snapshot, if available, and ensure that anti-malware programs are kept up to date. Unauthorized changes could be discovered by performing a compliance scan in which the current device settings are compared to a baseline. When it occurs, you should suspect that the device has been compromised. You should attempt to restore the device to the correct settings and remove any unauthorized permissions that have been granted. You may need to re-image the device using the latest snapshot, if available. Ensure that users are trained in safe practices and that user accounts are hardened against privilege escalation. The general recommendation for all host-related attacks is to keep anti-malware up to date and ensure that all users are trained in safe practices.

Answer 82

Unusual traffic spikes is a network-related indicator of compromise (IoC). It can indicate a denial-of-service (DoS) attack is underway. Abnormal operating system behavior, such as an unexpected reboot, is a host-related IoC. File system changes made in an unauthorized manner and system anomalies (actions taken by the system that are statistically unusual as determined by an algorithm) are host-related IoCs. Unauthorized changes to the registry settings or settings that are statistically unusual as determined by an algorithm (registry anomalies) can indicate either malicious changes or mistakes in configuration. This is also considered a host-based IoC. Unauthorized scheduled tasks are automated operations that have been configured by an unauthorized individual. While scheduling tasks is a function that can be quite helpful in taking care of mundane and repetitive maintenance tasks, when they are configured by an unauthorized person, it is a host-related IoC.

Answer 83

A Network Time Protocol (NTP) server allows devices to synchronize their clocks using a common source. Accurate time synchronization is important to corroborate events and to follow the sequence of events that occurred in an attack.

Answer 84

You could use a sinkhole. A sinkhole is a routing mechanism that can route traffic from a device being flooded to a location where the traffic can be studied.

Answer 85

In a peer-to-peer botnet, devices that can be reached externally are compromised and installed with server software that makes them command and control (C&C) servers. The compromised devices then carry out attacks. The best course of action is to identify whether a botnet is present, and if so, to check ALL devices for malware. If you discover a case of illegal peer-to-peer software, then ensure that devices are scanned for unauthorized software on a regular basis. You should also keep all anti-malware programs up to date and ensure that users are trained in safe practices. This is not a rogue device because it is a known device being managed. Rogue devices by definition are unknown and unmanaged. This is not a sinkhole. A sinkhole is a target to which hostile traffic can be directed that provides an appropriate place to analyze the traffic. This is not honeypot. A honeypot is a device made to be attractive to hackers and designed to engage them so that evidence can be gathered about them.

Answer 86

Secure sockets layer (SSL) inspection decrypts and opens incoming encrypted traffic, examines the contents for threats, and, providing there are no issues, re-encrypts the traffic for delivery.

Answer 87

Network segmentation involves dividing the network at either Layer 2 or Layer 3 to create desirable security barriers between devices in the network. It cannot route traffic from a device being flooded to a location where the traffic can be studied.

Answer 88

You would find Linux configuration files in the /etc/ directory. In Linux, each application and process has its own configuration file. The Linux file structure uses the /etc/ directory for configuration file locations.

Answer 89

JSON is an open standard file and data interchange format that uses human-readable text to store and transmit data objects consisting of attribute-value pairs and arrays.

Answer 90

Extensible Markup Language (XML) is a markup language and file format for storing, transmitting, and reconstructing data. It makes use of tags to delimit elements.

Answer 91

Python is a programming language that uses new lines to complete a command, as opposed to other programming languages which often use semicolons or parentheses.

Answer 92

PowerShell is an object-oriented automation engine and scripting language that features an interactive command-line shell that operates within Microsoft Windows. PowerShell was developed to help IT professionals configure systems and automate administrative tasks on Windows machines. Unlike other command-line shells that are based on text, PowerShell works with objects instead.

Answer 93

You are exploring the attack surface of a Windows 10 host. Which scripting environment is an automation standard for modern Windows systems? A)VBA B)Java C)Bash D)PowerShell

Answer 94

Bash (Bourne-Again Shell) is a common built-in command-line shell for UNIX and Linux systems.

Answer 95

Java is a class-based, object-oriented programming language that is designed to have as few implementation dependencies as possible. It is a general-purpose programming language.

Answer 96

Office Visual Basic for Applications (VBA) is an event-driven programming language that enables you to extend Office applications.

Answer 97

Regular expressions are sequences of characters that specify match patterns in text. While the use of regular expressions is somewhat complicated, the following regular expressions examples will execute a search as indicated: a {5} will match “aaaaa” n {3} will match “nnn” [a-z] {4} will match any four-letter word such as “door”, “room” or “book” [a-z] {6,} will match any word with six or more letters Extensible Markup Language (XML) is a markup language and file format for storing, transmitting, and reconstructing data. It makes use of tags to delimit elements. The # character is used in JSON to indicate comments, which are ignored by the shell. They begin with the hash symbol (#) and continue until the end of the line. JSON is an open standard file and data interchange format that uses human-readable text to store and transmit data objects consisting of attribute-value pairs and arrays.

Answer 98

Beaconing refers to traffic that leaves your network at regular intervals. This type of traffic could be generated by compromised hosts that are attempting to communicate with (or call home to) the malicious party that compromised the host. The compromised hosts do this in response to the command and control software that is running on the hacker's device. The best course of action is to identify the destination of the traffic and block it at the firewall. Beaconing indicates some sort of malware or compromise is present, so the best course of action is to remove all malware, and if the device still does not function properly after the malware removal, then re-image the device. You should also keep all anti-malware up to date and ensure that users are trained in safe practices. This is not a ping sweep. A ping sweep would touch the device only once. Ping sweeps use ICMP to identify all live hosts by pinging all IP addresses in the known network. All devices that answer the ping are known to be up and running. The symptoms of this attack are unusual spikes in network traffic. These sweeps can be detected by intrusion detection systems (IDS) and intrusion prevention systems (IPS). They indicate an attempt to map your network. The best course of action is to identify the source of the sweeps. Going forward, you should also deploy an IPS or IDS, if not already present. This is not a probe request. The device would not send these at regular intervals. That is a wireless transmission sent by a wireless station to associate with a WLAN that is not advertising its SSID. This is not peer-to-peer traffic. Peer-to-peer traffic occurs between peers within your network or with hosts outside the network. This traffic would not be at regular intervals.

Answer 99

You would want to exclude the Notice logging level. Notice is used for events that are classified as informational and would not normally raise a security concern. Logging levels are classifications that indicate the severity or urgency of the logged event. Common logging levels include Emergency, Alert, Critical, Error, Warning, Notice, and Debug. Log ingestion is the process of aggregating the logs collected from various devices across the network. An Emergency logging level would indicate a critical system failure, which you would want to see in a syslog. An Alert logging level would indicate a potential security threat. A Critical logging level would indicate a serious system error.

Answer 100

Encrypting data at rest is not considered an active defense. An active defense either changes something in reaction to an indicator of compromise (IoC) or presents an immediate challenge or distraction to the IoC. Rotating IP addresses for sensitive assets is a form of active defense and is designed to make it more difficult to fingerprint a system, which includes capturing its IP addresses. Dynamically changing the network topologies in response to the appearance of an IoC is a form of active defense. For example, a router might respond to the appearance of an IoC by shutting down an interface and placing a new route in the routing table, thereby routing traffic around the area where the IoC was detected. A honeypot is a network device made to be attractive to hackers and designed to engage them so that evidence can be gathered about their methods and avenues of attack.

Answer 101

One method of decomposing software is to use a decompiler to reconstruct the high-level code of the source language. Then it can be analyzed by one who understands the source code.

Answer 102

The tool displayed is Nessus, a widely used vulnerability scanner. It shows the vulnerabilities found by the tool and color-codes them by severity, as shown on the graphic.

Answer 103

The Metasploit tool is used to mount various types of attacks

Answer 104

National Institute of Standards and Technology (NIST) Special Publication 800-61 provides guidelines for all stages of handling Indicators of Compromise (IoC), including collection, analysis, and application.

Answer 105

The activity described is called beaconing. Beaconing refers to traffic leaving your network at regular intervals from the same device to the same destination. This type of traffic could be generated by compromised hosts that are attempting to communicate with (or call home to) the malicious party that compromised the host. Hosts attempt to communicate with what is called a command and control (C&C) server. The best course of action is to first identify the destination of the traffic and block it at the firewall. It indicates some sort of malware or compromise so you should also remove all malware. If the device still does not function properly after the malware removal, then re-image the device. You should also keep all anti-malware up to date and ensure that users are trained in safe practices.

Answer 106

IPS and IDS

Answer 107

The presence of malicious processes is a host-related symptom, not a network-related symptom. Common network-related symptoms of incidents are bandwidth consumption, beaconing, irregular peer-to-peer communication, rogue devices on the network, scan sweeps, and atypical traffic spikes. Malicious processes are located on devices, and thus are considered a host-related symptom. Common host-related symptoms include unusual processing consumption, memory consumption, or drive capacity consumption; unauthorized software and malicious processes; unauthorized changes and privileges; and data exfiltration. The general recommendation for all host-related attacks is to keep anti-malware up to date and ensure that all users are trained in safe practices. Unusual processor or memory consumption could be determined by using a resource monitor on the device. If either of these symptoms occurs, you should suspect a malicious process is using the processing resources or memory. The best course of action is to scan the device for malware. Issues with drive capacity consumption could also be determined by using a resource monitor on the device. When this symptom occurs, you should suspect that some malicious process is filling the drive as part of a DoS attack. Again, the best course of action is to scan the device for malware. Unauthorized software could be detected with a vulnerability scan that identifies unauthorized software. When discovered, you should suspect that a malicious individual has compromised the device, even if the unauthorized software is not classified as malware. Some legitimate third-party software has known vulnerabilities that put your entire network at risk if it is installed. The best course of action is to re-image the device using the latest snapshot, if available. To ensure security, you should use a policy that prevents the installation of unauthorized software and ensure that users are trained in safe practices. Malicious processes could be detected using a tool like Process Explorer. You should suspect the presence of malware if you notice unusual processor, memory, or drive capacity usage on a host. The best course of action is to scan the device using anti-malware software. If you are unable to remove the malicious software, then you should re-image the device using the latest snapshot, if available, and ensure that anti-malware programs are kept up to date. Unauthorized changes could be discovered by performing a compliance scan in which the current device settings are compared to a baseline. When it occurs, you should suspect that the device has been compromised. You should attempt to restore the device to the correct settings and remove any unauthorized permissions that have been granted. You may need to re-image the device using the latest snapshot, if available. Ensure that users are trained in safe practices and that user accounts are hardened against privilege escalation. Unauthorized privileges could be discovered by examining the event log to determine which users are performing these privileged acts. If the user can be identified, then disciplinary action should be taken. If not, then the best course of action is to scan the device for malware and for compliance to the baseline. Ensure that users are trained in safe practices and that user accounts are hardened against privilege escalation. Data exfiltration can be discovered with DLP software, if present. If not, then data exfiltration may be discovered only when it falls into the wrong hands. The best course of action is to identify the source of the disclosure, if possible, and then take disciplinary action and employ a DLP solution in the enterprise.

Answer 108

You would evaluate the following processes to verify whether they are suitable for automation: Frequently executed processes Processes in a security response playbook Processes that do not require human intervention Processes that correspond to relevant threat models Repeated and repeatable tasks that are frequently executed in the same way using the same parameters are strong candidates for automation. The benefit of automating these tasks is the amount of human time and attention freed up for other duties, such as threat analysis. You would not automate rarely executed processes because doing so would not be a net gain of efficiency in operations. Processes in a security playbook and processes that correspond to relevant threat models should also be automated where feasible. These processes have already been identified as best practices for the team to follow in response to specific types of incidents. Automated threat detection and response can both increase the speed of incident discovery and halt a threat before it has time to advance further than the perimeter of the attack surface. Processes that do NOT require human intervention, such as continually monitoring the status of all endpoints connected to a secure internal network, are also best suited for automation. For example, if an unknown device is discovered, automated processes can alert a human technician and send all related telemetry data for analysis. Finally, processes that correspond to threat models identified as relevant to your organization should be evaluated for automation. While other types of IT-related processes can be automated, doing so will not improve overall security operations. Cybersecurity will always require human engagement, and you would not look to automate tasks that require human judgement or intervention. However, you would always want to automate tasks to provide the human analysts with supporting information regarding any alert or incident, such as automatically finding the GPS location of a mobile device being used for a suspicious login. Whether a process involves a business-critical system or takes a long time to execute does not factor into how suitable it is for automation.

Answer 109

Federation allows customers of different cell phone services to communicate with each other. While each network has its own infrastructure, devices such as routers and gateways as well as network services are uniformly configured to a common standard. In general, federation allows members of disparate networks to communicate with each other.

Answer 110

A zero-day attack is one discovered in live environments for which no current fix or patch exists, as in this case.

Answer 111

You should deploy a jump box. A jump server or jump box is a server that is used to access devices that have been placed in a secure network zone, such as a perimeter network (formerly referred to in documentation as a DMZ). The server would span the two networks to provide access from an administrative desktop to the managed device.

Answer 112

This is an example of system isolation; in this case, it is Microsoft server isolation. The configuration required to allow the non-domain devices to be able to authenticate and connect with the server is called an exception. Systems can be isolated from other systems through the control of communications with the device. By leveraging group policy settings, you can require that all communication with isolated servers must be authenticated and protected by using IPsec (and optionally encrypted as well). As group policy settings can only be applied to computers that are domain members, devices that are not domain members must be specified as exceptions to the rules controlling access to the device if they need access. While it is true that entre networks can also be isolated from the network in general, this is not a perimeter network, and an acknowledgement is used on an intrusion detection system (IDS) to indicate that it has detected devices that are already known. A perimeter network is a network logically separate from the intranet where resources that will be accessed from the outside world are made available without requiring authentication. This type of network was previously referred to as a demilitarized zone (DMZ), but this term is no longer in common use. This is also not a perimeter network with an exception. Exceptions are used with server isolation, not with perimeter networks. This is not an extranet. An extranet contains resources available only to certain entities from the outside world through access that is secured with authentication. Exceptions are used with server isolation but not with extranets.

Answer 113

Changes to the file system is a host-related issue, as it will affect the entire system. An unexpected outbound communication is an application-related issue. In many cases, it is an attempt by a malicious backdoor to call home to the hacker. A service interruption is an application-related issue, and only involves the interruption of that service. Any time an issue is reported to the Application log in Windows Event Viewer, it is an application-related issue. This log is maintained by Windows systems and records when something occurs within (or affects) the application. Examples of logged events would include: Memory leaks Non-existent path errors Unhandled exceptions in the code A system crash

Answer 114

Advanced persistent threats (APTs) are prolonged strategic attacks that hackers try to keep hidden so that they can continually exploit their targets. They are usually sourced from hostile nation-states and have high-profile targets, including national infrastructure and the military.

Answer 115

Controlling administrative access is MORE difficult in a cloud environment because access is provided through the Internet, eliminating the physical security and perimeter security provided in the on-premises environment It is true that insiders with the provider may cause issues due to the rights they have working in your support. It is true that with the responsibility split between the provider and the tenant, gaps in securing the solution may appear. It is true that co-locations create a larger attack surface. In this scenario, you are sharing the virtual environment and there is more danger from other tenants, which is an issue that does not exist in on-premises environments.

Answer 116

Guest Internet access would be classified as non-critical business assets and processes because its loss would have very little, if any, impact on the ability to continue to operate normally. Loss of the DNS server would bring the entire network down shortly after its loss. DNS services are required to access any asset, locally or remotely, by its name rather than its IP address. Loss of the commerce server will spell a loss of income during the time it is down and damage to the organization’s reputation if it is an extended outage. While the company chat server is not typically considered one of the business-critical assets and processes, as compared to guest Internet access, it would be considered more important as it provides a form of communication that could be a backup if email is down.

Answer 117

When an attacker is able to install a shell (also called dropping a shell), they will be able to access a command line interface to the system. In this scenario, one’s ability to interpret any strange commands they may have entered and executed may help to identify exactly what the attacker did or was attempting to do.

Answer 118

An email-based attack uses embedded and malicious links in an email. While training users not to click any hyperlinks in incoming emails is one solution, you can go a step further and disable hyperlinks in emails.

Answer 119

When an attacker alters an email header to obscure the sender and perform impersonation, a solution would be to implement DomainKeys Identified Mail (DKIM), an email authentication method designed to detect forged sender addresses in email (email spoofing), a technique often used in phishing and email spam.

Answer 120

When an attacker compromises the DNS system, a solution would be to implement Domain-based Message Authentication, Reporting, and Conformance (DMARC). When a DMARC DNS entry is published, any receiving email server can authenticate the incoming email, preventing a delivery based on an altered header. DMARC extends two email authentication mechanisms: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows the administrative owner of a domain to publish a policy in their DNS records to specify how to check the From: field presented to end users.

1. Cyber Security Concepts Flashcards

Quiz Revision