1. Cyber Security Concepts Flashcards
Quiz Revision
A hacktivist group claims responsibility for infecting a manufacturer’s systems by planting an infected USB drive at the company’s office. The manufacturer’s distributor, several vendors, and hundreds of customers were all eventually infected with the malware that stole important credential information.
Which term describes this attack strategy?
A)Cloud-based
B)Direct access
C)Supply-chain
D)Social media
A supply-chain attack is not an attack on a target directly but on a more vulnerable company or resource within its supply chain that helps the organization conduct business or create a product. An increasing number of hacks are being carried out this way.
Direct access is the most straightforward type of attack and usually the most preventable. It is a physical or local attack, such as an attacker exploiting an unlocked workstation and using a boot disk to install malicious tools or simply stealing a device.
In a cloud-based attack, hackers may try and exploit vulnerabilities in cloud-based web service providers to gain access to a tenant organization’s data.
Social media attacks occur when malware is attached to social media posts or presented as downloads on social media sites. At their most dangerous, hackers can make it so a compromised site automatically infects a vulnerable computer.
In order to log onto a system, you must first complete a CAPTCHA, then enter a code that is sent to your cell phone via SMS. What is that code an example of?
A)Passwordless
B)Cloud access security broker
C)Multi-factor authentication
D)Single sign-on
Passwordless authentication provides alternative mechanisms to authenticate users, using items that do not have to be remembered by the user. Examples of passwordless authentication include hardware tokens, smart cards, biometrics, and one-time passcodes sent to a cell phone.
CASB
A cloud access security broker (CASB) is a checkpoint where security policies are enforced, located between an organization’s users and its cloud providers. A CASB can ensure cloud security by comparing users, applications, and devices against multiple security policies.
What Criteria does MFA involved in?
Multi-factor authentication (MFA) involves using two independent sets of information to authenticate a user. Common MFA methods are:
Something you know, such as a user name, password, or PIN.
Something you are, such as a biometric measurement, e.g. a fingerprint or facial recognition.
Something you have, such as a smart card or token.
Somewhere you are, often based on your GPS coordinates.
In security operations, which of the following would provide well-defined operational guidelines for processes such as incident response, security policy, vulnerability management, and security awareness?
A)Windows registry
B)Logging levels
C)System processes
D)System hardening
System processes provide well-defined operational guidelines for processes such as incident response, security policy, vulnerability management, and security awareness, to name a few. A Security Operations Center (SOC) operates 24x7 maintain the organization’s security posture. The abovementioned system processes provide the guidelines that the SOC uses for its operations.
Windows Registry?
The Windows registry is a database that contains all the application settings and current configuration parameters for the hardware and software on a Windows system. Each machine running a Windows OS has a registry that contains keys (which identify applications, processes, hardware) and values (specific configuration data related to the key). For example, if a key was related to a printer, values associated with the key could include printing orientation, print history, default paper tray, and default paper size.
The Windows OS uses the registry database for storing all configuration settings. In Linux, each application and process has its own configuration file. The Linux file structure uses the /etc/ directory for configuration file locations.
Hardware architecture is also an important concept. If the hardware is not secure, it would be very difficult to build secure applications and databases and to have high availability. Physical access to critical hardware, such as servers, routers, wireless access points, and network switches, is often overlooked. It is not uncommon that administrative passwords are set to the default, firmware does not get updated, and encryption is not adequate for the device.
What are the logging levels classification?
Logging levels are classifications that indicate the severity or urgency of the logged event. Common logging levels include Emergency, Alert, Critical, Error, Warning, Notice, and Debug.
System Hardening
System hardening increases the security of a server or a computer system by reducing vulnerabilities and the attack surface. Examples of system hardening activities include removing unnecessary applications, closing down ports, and adjusting permissions.
Which of the following has a Policy Engine, a Policy Administrator, and a Policy Enforcement Point?
A)Personally identifiable information (PII)
B)Cardholder data
C)Data loss prevention
D)Zero trust
Zero-trust architecture consists of a Policy Engine, a Policy Administrator, and a Policy Enforcement Point. The goal of zero trust is to continuously monitor the authentication and authorization of devices, users, and processes. The Policy Engine is responsible for granting or denying access based primarily on policy, but other factors can be taken into consideration. The Policy Administrator decides to open or close the communication path from the requestor to the resource, based on the decision of the Policy Engine. The Policy Enforcement Point establishes and terminates the connections.
What does DLP prevent when it comes to PII and CHD?
Data loss prevention (DLP), personally identifiable information (PII), and cardholder data (CHD) are all related to sensitive data protection.
Data loss prevention is designed to detect and stop data exfiltration behavior by users. If DLP software is not present, data exfiltration might only be discovered after the event.
Personally identifiable information (PII) is data that can be used to identify a single individual.
Cardholder data is very sensitive data in e-commerce transactions. The manner in which a website uses CHD is regulated by the Payment Card Industry Data Security Standard (PCI DSS). The most recent version of PCI DSS is 4.0.
Your company is governed by several regulations that state that you must use automated systems that provide CCE and CVE identifiers for vulnerability scans. Which of the following should you implement?
A)SCAP
B)SIEM
C)NAC
D)SNMP
You should implement Security Content Automation Protocol (SCAP), which provides Common Configuration Enumeration (CCE) and Common Vulnerabilities and Exposures (CVE) identifiers.
SIEM
Security information and event management (SIEM) provides centralized security event management. When SIEM is implemented, security analysts can produce reports on all ingested data.
SNMP
Simple Network Management Protocol (SNMP) collects management information from devices. It is used to communicate with network devices, such as servers, printers, hubs, switches, and routers on an Internet Protocol (IP) network.
The team is analyzing a shell script that was run on a server. How can they recognize comments in the script?
A)line starts with a #
B)line starts with $
C)line start with a !
D)line starts with a @
Comments are ignored by the shell. They typically begin with the hash symbol (#) and continue until the end of the line.
The exclamation mark (!) is used with the Equal relational operator. != means Not Equal and returns true if the two operands are not equal. Otherwise, it returns false.
The dollar sign ($) is used to return the value of the last executed command.
The at symbol (@) can be used with the $ symbol to pass all of the parameters to the script.
Obtaining which of the following can reduce the likelihood of purchasing counterfeit equipment?
A)Fingerprint
B)OEM documentation
C)SLA
D)Hash value
One of the ways you can reduce the likelihood of purchasing counterfeit equipment is to insist on the inclusion of verifiable original equipment manufacturer (OEM) documentation. In many cases, this paperwork includes anti-counterfeiting features. Make sure you use the vendor website to verify all of the various identifying numbers in the documentation.
You have quarantined an instance of malware and would like to execute the payload to see what it does without spreading it through the network. What tool or process could be used to do this safely?
A)Cuckoo Sandbox
B)email header analysis
C)DKIM
D)pattern recognition
Cuckoo Sandbox is used to investigate suspicious files or websites. It not only analyzes files and websites but also traces API calls, dumps any related network traffic, and analyzes the processes running in memory. When you execute a malicious payload in a sandbox, the sandbox allows it to run while preventing the spread of any activity generated by the malicious payload.
You are a cyber security analyst. Your organization has several products and services implemented within their IT environment. Management finds it difficult to view security and operational metrics for all the products. You recommend that management approve implementing single pane of glass solution to resolve the visibility issue.
Which of the following statements is NOT true of implementing a single pane of glass solution?
A)It increases efficiency by eliminating the need to switch back and forth between separate IT operations management solutions.
B)It provides an easy-to-navigate GUI.
C)It provides a centralized display of security and operational metrics that is readily available to management.
D)It displays and sends data in real time from the centralized application whenever relevant events occur in the environment.
A single pane of glass solution does not display and send data in real time when relevant events occur in the environment. You would implement webhooks in an application to display and send data in real time when a relevant event occurs in the environment. Webhooks can be leveraged to automate certain workflows.
A single pane of glass solution provides a single management console that displays data from multiple sources. The glass in the term “single pane of glass” refers to a computer monitor or mobile screen where users can view meaningful data from multiple sources.
What can a single pane of glass solution providers include in their features? What are the benefits?
A single pane of glass solution provides many features and benefits, such as:
A centralized display of security and operational metrics that is easy to read and understand by management.
An efficient solution that
eliminates the need to switch back and forth between IT operations management solutions.
An easy-to-navigate graphical user interface (GUI).
Typically, single pane of glass solutions also provides event alerts and notifications, root cause analysis, remote debugging capabilities, reporting, and the ability to integrate data from multiple technologies and vendors.
You are assisting a senior forensics investigator with a crime scene. While you are watching, he runs the following command:
user@kaplan:~# md5sum /dev/pw3
He receives the following output:
9b98b637a132974e41e3c6ae1fc9fc96 /dev/pw3
What is the long string of values in the output called?
A)Initialization vector
B)Hash value
C)Salt value
D)Encryption key
That value is the hash value, and it was derived by running the file against the now-deprecated MD5 hashing algorithm. This algorithm generates this value based on the contents of the file or volume against which it was run. Its value is in providing a way to determine, at a later time, if the file or volume has changed. To validate an image, a hash is generated for both the original and the copy. If the hashes match, then the images are identical. Both hashes should be recorded as part of the forensic log for the investigation.
It is not an encryption key. Encryption keys are used to encipher a message. MD5 does not perform encryption. It generates a value that can be used to determine the integrity of the file or volume.
It is not an initialization vector (IV). These are values used within certain encryption algorithms to add randomness to the calculations to prevent patterns in the output that can be used to reverse-engineer the encryption key.
A salt value is random data that is used as an additional input to a one-way function that “hashes” a password or passphrase. It is used to make cracking the hash more difficult.
Which network architecture concept allows for dynamic reconfiguration of a network as a reaction to changes in volume, types of traffic, and security incidents?
A)Secure Access Service Edge
B)Hybrid
C)Software-defined networking
D)On-premises
Software-defined networking (SDN) allows for dynamic reconfiguration of a network as a reaction to changes in volume, types of traffic, and security incidents.
On-premises network architecture allows an organization to maintain control of its architecture and resources by hosting it on-site. With on-premises, the organization can also host a private cloud on its hardware.
Hybrid cloud architecture is an environment where some items are stored in a public cloud and some items are stored in a private cloud. In short, a public cloud allows an organization to “rent space” (much like a tenant in an office building) from another organization in an Internet-accessible datacenter, place sharable resources in that space, and configure access to those resources. A private cloud is an Internet-accessible datacenter that serves only one tenant.
Secure Access Service Edge (SASE) is used to ensure security in a software-defined wide area network (SD-WAN) environment, particularly in a cloud environment. SASE is often associated with the zero-trust model.
Which threat actor type can be characterized by having an unsophisticated skill level, uses widely available tools, and is frequently motivated by the need to prove that they can do it?
A)Nation-state
B)Script kiddie
C)Hacktivist
D)Organized crime
Script kiddies typically have an unsophisticated skill level and rely on tools that are widely available on the Internet. They are often motivated by the thrill of the chase and by the need to prove that they can do it. For the most part, script kiddies have limited time and financial resources.
Hactivists
Hacktivists are activists who use hacking techniques to promote their own political or social agenda. Their activities can cause DoS and DDoS attacks or they place embarrassing posts on websites or social media sites of an organization with opposing views. They often believe they are engaging in a righteous and morally correct cause, even if their activities are illegal. As with script kiddies, hacktivists often have limited time and financial resources. However, a hacktivist within a sophisticated or large organization may have access to significant resources.
Organized Crime
Organized crime attacks are carried out by criminal groups for the sole purpose of monetary gain. Organizations such as the Mafia, Russian organized crime, the Japanese Yakuza, and drug cartels have significant resources in terms of time and money to recruit hackers to carry out their agenda.
Nation-state or APT
Nation-state or Advanced Persistent Threat (APT) attacks are conducted by one nation against another nation, or against a significant entity within the target country, and feature large coordinated attacks. APT attackers have significant time and financial resources. Motives could be financial, political, disruption of the economy, or theft of intellectual property such as military secrets.