1. Cyber Security Concepts Flashcards
Quiz Revision
A hacktivist group claims responsibility for infecting a manufacturer’s systems by planting an infected USB drive at the company’s office. The manufacturer’s distributor, several vendors, and hundreds of customers were all eventually infected with the malware that stole important credential information.
Which term describes this attack strategy?
A)Cloud-based
B)Direct access
C)Supply-chain
D)Social media
A supply-chain attack is not an attack on a target directly but on a more vulnerable company or resource within its supply chain that helps the organization conduct business or create a product. An increasing number of hacks are being carried out this way.
Direct access is the most straightforward type of attack and usually the most preventable. It is a physical or local attack, such as an attacker exploiting an unlocked workstation and using a boot disk to install malicious tools or simply stealing a device.
In a cloud-based attack, hackers may try and exploit vulnerabilities in cloud-based web service providers to gain access to a tenant organization’s data.
Social media attacks occur when malware is attached to social media posts or presented as downloads on social media sites. At their most dangerous, hackers can make it so a compromised site automatically infects a vulnerable computer.
In order to log onto a system, you must first complete a CAPTCHA, then enter a code that is sent to your cell phone via SMS. What is that code an example of?
A)Passwordless
B)Cloud access security broker
C)Multi-factor authentication
D)Single sign-on
Passwordless authentication provides alternative mechanisms to authenticate users, using items that do not have to be remembered by the user. Examples of passwordless authentication include hardware tokens, smart cards, biometrics, and one-time passcodes sent to a cell phone.
CASB
A cloud access security broker (CASB) is a checkpoint where security policies are enforced, located between an organization’s users and its cloud providers. A CASB can ensure cloud security by comparing users, applications, and devices against multiple security policies.
What Criteria does MFA involved in?
Multi-factor authentication (MFA) involves using two independent sets of information to authenticate a user. Common MFA methods are:
Something you know, such as a user name, password, or PIN.
Something you are, such as a biometric measurement, e.g. a fingerprint or facial recognition.
Something you have, such as a smart card or token.
Somewhere you are, often based on your GPS coordinates.
In security operations, which of the following would provide well-defined operational guidelines for processes such as incident response, security policy, vulnerability management, and security awareness?
A)Windows registry
B)Logging levels
C)System processes
D)System hardening
System processes provide well-defined operational guidelines for processes such as incident response, security policy, vulnerability management, and security awareness, to name a few. A Security Operations Center (SOC) operates 24x7 maintain the organization’s security posture. The abovementioned system processes provide the guidelines that the SOC uses for its operations.
Windows Registry?
The Windows registry is a database that contains all the application settings and current configuration parameters for the hardware and software on a Windows system. Each machine running a Windows OS has a registry that contains keys (which identify applications, processes, hardware) and values (specific configuration data related to the key). For example, if a key was related to a printer, values associated with the key could include printing orientation, print history, default paper tray, and default paper size.
The Windows OS uses the registry database for storing all configuration settings. In Linux, each application and process has its own configuration file. The Linux file structure uses the /etc/ directory for configuration file locations.
Hardware architecture is also an important concept. If the hardware is not secure, it would be very difficult to build secure applications and databases and to have high availability. Physical access to critical hardware, such as servers, routers, wireless access points, and network switches, is often overlooked. It is not uncommon that administrative passwords are set to the default, firmware does not get updated, and encryption is not adequate for the device.
What are the logging levels classification?
Logging levels are classifications that indicate the severity or urgency of the logged event. Common logging levels include Emergency, Alert, Critical, Error, Warning, Notice, and Debug.
System Hardening
System hardening increases the security of a server or a computer system by reducing vulnerabilities and the attack surface. Examples of system hardening activities include removing unnecessary applications, closing down ports, and adjusting permissions.
Which of the following has a Policy Engine, a Policy Administrator, and a Policy Enforcement Point?
A)Personally identifiable information (PII)
B)Cardholder data
C)Data loss prevention
D)Zero trust
Zero-trust architecture consists of a Policy Engine, a Policy Administrator, and a Policy Enforcement Point. The goal of zero trust is to continuously monitor the authentication and authorization of devices, users, and processes. The Policy Engine is responsible for granting or denying access based primarily on policy, but other factors can be taken into consideration. The Policy Administrator decides to open or close the communication path from the requestor to the resource, based on the decision of the Policy Engine. The Policy Enforcement Point establishes and terminates the connections.
What does DLP prevent when it comes to PII and CHD?
Data loss prevention (DLP), personally identifiable information (PII), and cardholder data (CHD) are all related to sensitive data protection.
Data loss prevention is designed to detect and stop data exfiltration behavior by users. If DLP software is not present, data exfiltration might only be discovered after the event.
Personally identifiable information (PII) is data that can be used to identify a single individual.
Cardholder data is very sensitive data in e-commerce transactions. The manner in which a website uses CHD is regulated by the Payment Card Industry Data Security Standard (PCI DSS). The most recent version of PCI DSS is 4.0.
Your company is governed by several regulations that state that you must use automated systems that provide CCE and CVE identifiers for vulnerability scans. Which of the following should you implement?
A)SCAP
B)SIEM
C)NAC
D)SNMP
You should implement Security Content Automation Protocol (SCAP), which provides Common Configuration Enumeration (CCE) and Common Vulnerabilities and Exposures (CVE) identifiers.
SIEM
Security information and event management (SIEM) provides centralized security event management. When SIEM is implemented, security analysts can produce reports on all ingested data.
SNMP
Simple Network Management Protocol (SNMP) collects management information from devices. It is used to communicate with network devices, such as servers, printers, hubs, switches, and routers on an Internet Protocol (IP) network.
The team is analyzing a shell script that was run on a server. How can they recognize comments in the script?
A)line starts with a #
B)line starts with $
C)line start with a !
D)line starts with a @
Comments are ignored by the shell. They typically begin with the hash symbol (#) and continue until the end of the line.
The exclamation mark (!) is used with the Equal relational operator. != means Not Equal and returns true if the two operands are not equal. Otherwise, it returns false.
The dollar sign ($) is used to return the value of the last executed command.
The at symbol (@) can be used with the $ symbol to pass all of the parameters to the script.
Obtaining which of the following can reduce the likelihood of purchasing counterfeit equipment?
A)Fingerprint
B)OEM documentation
C)SLA
D)Hash value
One of the ways you can reduce the likelihood of purchasing counterfeit equipment is to insist on the inclusion of verifiable original equipment manufacturer (OEM) documentation. In many cases, this paperwork includes anti-counterfeiting features. Make sure you use the vendor website to verify all of the various identifying numbers in the documentation.
You have quarantined an instance of malware and would like to execute the payload to see what it does without spreading it through the network. What tool or process could be used to do this safely?
A)Cuckoo Sandbox
B)email header analysis
C)DKIM
D)pattern recognition
Cuckoo Sandbox is used to investigate suspicious files or websites. It not only analyzes files and websites but also traces API calls, dumps any related network traffic, and analyzes the processes running in memory. When you execute a malicious payload in a sandbox, the sandbox allows it to run while preventing the spread of any activity generated by the malicious payload.
You are a cyber security analyst. Your organization has several products and services implemented within their IT environment. Management finds it difficult to view security and operational metrics for all the products. You recommend that management approve implementing single pane of glass solution to resolve the visibility issue.
Which of the following statements is NOT true of implementing a single pane of glass solution?
A)It increases efficiency by eliminating the need to switch back and forth between separate IT operations management solutions.
B)It provides an easy-to-navigate GUI.
C)It provides a centralized display of security and operational metrics that is readily available to management.
D)It displays and sends data in real time from the centralized application whenever relevant events occur in the environment.
A single pane of glass solution does not display and send data in real time when relevant events occur in the environment. You would implement webhooks in an application to display and send data in real time when a relevant event occurs in the environment. Webhooks can be leveraged to automate certain workflows.
A single pane of glass solution provides a single management console that displays data from multiple sources. The glass in the term “single pane of glass” refers to a computer monitor or mobile screen where users can view meaningful data from multiple sources.
What can a single pane of glass solution providers include in their features? What are the benefits?
A single pane of glass solution provides many features and benefits, such as:
A centralized display of security and operational metrics that is easy to read and understand by management.
An efficient solution that
eliminates the need to switch back and forth between IT operations management solutions.
An easy-to-navigate graphical user interface (GUI).
Typically, single pane of glass solutions also provides event alerts and notifications, root cause analysis, remote debugging capabilities, reporting, and the ability to integrate data from multiple technologies and vendors.
You are assisting a senior forensics investigator with a crime scene. While you are watching, he runs the following command:
user@kaplan:~# md5sum /dev/pw3
He receives the following output:
9b98b637a132974e41e3c6ae1fc9fc96 /dev/pw3
What is the long string of values in the output called?
A)Initialization vector
B)Hash value
C)Salt value
D)Encryption key
That value is the hash value, and it was derived by running the file against the now-deprecated MD5 hashing algorithm. This algorithm generates this value based on the contents of the file or volume against which it was run. Its value is in providing a way to determine, at a later time, if the file or volume has changed. To validate an image, a hash is generated for both the original and the copy. If the hashes match, then the images are identical. Both hashes should be recorded as part of the forensic log for the investigation.
It is not an encryption key. Encryption keys are used to encipher a message. MD5 does not perform encryption. It generates a value that can be used to determine the integrity of the file or volume.
It is not an initialization vector (IV). These are values used within certain encryption algorithms to add randomness to the calculations to prevent patterns in the output that can be used to reverse-engineer the encryption key.
A salt value is random data that is used as an additional input to a one-way function that “hashes” a password or passphrase. It is used to make cracking the hash more difficult.
Which network architecture concept allows for dynamic reconfiguration of a network as a reaction to changes in volume, types of traffic, and security incidents?
A)Secure Access Service Edge
B)Hybrid
C)Software-defined networking
D)On-premises
Software-defined networking (SDN) allows for dynamic reconfiguration of a network as a reaction to changes in volume, types of traffic, and security incidents.
On-premises network architecture allows an organization to maintain control of its architecture and resources by hosting it on-site. With on-premises, the organization can also host a private cloud on its hardware.
Hybrid cloud architecture is an environment where some items are stored in a public cloud and some items are stored in a private cloud. In short, a public cloud allows an organization to “rent space” (much like a tenant in an office building) from another organization in an Internet-accessible datacenter, place sharable resources in that space, and configure access to those resources. A private cloud is an Internet-accessible datacenter that serves only one tenant.
Secure Access Service Edge (SASE) is used to ensure security in a software-defined wide area network (SD-WAN) environment, particularly in a cloud environment. SASE is often associated with the zero-trust model.
Which threat actor type can be characterized by having an unsophisticated skill level, uses widely available tools, and is frequently motivated by the need to prove that they can do it?
A)Nation-state
B)Script kiddie
C)Hacktivist
D)Organized crime
Script kiddies typically have an unsophisticated skill level and rely on tools that are widely available on the Internet. They are often motivated by the thrill of the chase and by the need to prove that they can do it. For the most part, script kiddies have limited time and financial resources.
Hactivists
Hacktivists are activists who use hacking techniques to promote their own political or social agenda. Their activities can cause DoS and DDoS attacks or they place embarrassing posts on websites or social media sites of an organization with opposing views. They often believe they are engaging in a righteous and morally correct cause, even if their activities are illegal. As with script kiddies, hacktivists often have limited time and financial resources. However, a hacktivist within a sophisticated or large organization may have access to significant resources.
Organized Crime
Organized crime attacks are carried out by criminal groups for the sole purpose of monetary gain. Organizations such as the Mafia, Russian organized crime, the Japanese Yakuza, and drug cartels have significant resources in terms of time and money to recruit hackers to carry out their agenda.
Nation-state or APT
Nation-state or Advanced Persistent Threat (APT) attacks are conducted by one nation against another nation, or against a significant entity within the target country, and feature large coordinated attacks. APT attackers have significant time and financial resources. Motives could be financial, political, disruption of the economy, or theft of intellectual property such as military secrets.
Your organization’s reputation is staked on a book it publishes yearly. When you perform data classification, how should you classify this book and its contents?
A)intellectual property
B)corporate confidential data
C)PHI
D)personally identifiable information
~]Intellectual property is a tangible or intangible asset to which the owner has exclusive rights. Intellectual property law is a group of laws that recognizes exclusive rights for creations of the mind. This includes books and music.
PII
Personally identifiable information (PII) is any piece of data that can be used alone or with other information to identify a single person.
PHI
Personal health information (PHI) is the medical records of individuals and must be protected in specific ways as prescribed by the regulations contained in the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
Corporate confidential data
Corporate confidential data includes trade secrets, intellectual data, application programming code, and other data that could seriously affect the organization if unauthorized disclosure occurred. The book contains corporate data, but it cannot be considered confidential if it is released into the public space every year.
During a data classification meeting, someone mentions a type of data covered by PCI DSS. What type of data is this?
A)Corporate confidential data
B)PHI
C)Intellectual property
D)Credit card data
The Payment Card Industry Data Security Standard (PCI DSS) affects any organizations that handle cardholder data (CHD) for the major credit card companies. The latest version of the standard is 4.0. To prove compliance with the standard, an organization must be reviewed annually.
You need a tool that can aggregate logs from multiple firewalls, send alerts when certain behaviors are detected in the network, provide trend analysis, and analyze user behavior. What should you choose?
A)WHOIS
B)SOAR
C)SIEM
D)EDR
A Security Information and Event Management (SIEM) system collects data from the different security devices in the system, such as firewalls and IPSes, and then aggregates the log files for analysis. It provides predictive trend analysis, behavior analytics, alerts, and even helps you comply with regulations like SOX and HIPAA. Automated alerting and triggers are SIEM features that allow the system to react based on predetermined criteria.
SOAR
A Security Orchestration, Automation, and Response (SOAR) playbook is a checklist of incident response steps to be performed when an incident occurs. In Microsoft Azure, the Azure Sentinel service has playbooks that automate and orchestrate responses to threats. You can configure a playbook to run manually or automatically in response to specific alerts or incidents that are triggered by an automation rule.
EDR
Endpoint Detection Response (EDR) is designed to supplement existing systems. It focuses on a proactive versus reactive approach for the detection and prevention of threats before they can attack the organization.
WHOIS
WHOIS is a service that can be used to identify details on the owner of a website.
You have discovered that several workstation computers on your company’s network have been infected with a Trojan that is used to target a single server. Which vulnerability has infected the workstation computers?
A)APT
B)Ransomware
C)Spyware
D)DDoS
A Distributed Denial of Service (DDoS) is the vulnerability that has infected the workstation computers. The workstations will now act as zombies to carry out the attack on a single server.
Spyware enables an attacker to obtain information about another’s computer activities by transmitting data covertly from their hard drive.
Ransomware is malicious software that blocks access to a computer system until a sum of money is paid.
An advanced persistent threat (APT) is an attack in which an unauthorized user accesses a network and stays there undetected for a long period of time with the intention of stealing data.
You are a security analyst working with a forensic investigator. The investigator has found data on a very old Windows computer. You decide to run OpenVAS. Which function is provided by this tool?
A)Vulnerability scan
B)Fuzzer
C)Packet capture
D)Interception proxy
OpenVAS is a vulnerability scan tool. Other vulnerability scanning tools include Qualys, Nessus, OpenVAS, Nexpose, and Nikto.
Fuzzer
Fuzzers include Untidy, Peach Fuzzer, and Microsoft SDL File/Regex Fuzzer
With fuzzing, random data is run against your test in an attempt to find vulnerabilities or crash-causing inputs. Some examples of vulnerabilities that can be found by fuzzing are SQL injection, buffer overflow, denial of service and cross-site scripting attacks.
Interception Proxies
Interception proxies include Burp Suite, ZAP, and Vega
Packet Capture Tools
Packet capture tools include Wireshark, tcpdump, Network General, and Aircrack-ng.
Which of the following is a process similar to building a system image but for applications?
A)Serverless
B)Containerization
C)Federation
D)Virtualization
Containerization is similar to building a system image, but for applications. It is an application development model that stores everything needed to run that application in an executable image. All of the libraries, binaries, configuration info, etc., are stored in the container.
Severless
Serverless is an application development model that provides developers the opportunity to build and run applications in the cloud, without the added responsibility of having to maintain servers.
Federation
Federation allows customers of different cell phone services to communicate with each other. While each network has its own infrastructure, devices such as routers and gateways as well as network services are uniformly configured to a common standard. In general, federation allows members of disparate networks to communicate with each other.
You have just been hired as a junior cybersecurity analyst. The orientation process involves shadowing a senior analyst. To gauge your current knowledge level, the senior analyst is testing your ability to recognize various tools of the trade. He gives you a quick look at a tool’s GUI.
The tool shown is Wireshark, which is a packet analyzer. Packet analyzers are also called sniffers or protocol analyzers. This type of tool captures traffic on the network.
Which of the infrastructure concepts below provides developers with the opportunity to build and run applications in the cloud, without the extra responsibility of having to maintain servers?
A)Serverless
B)Secure Access Service Edge
C)Containerization
D)Virtualization
Serverless is an application development model that provides developers the opportunity to build and run applications in the cloud, without the extra responsibility of having to maintain servers on premises.
SASE
Secure Access Service Edge (SASE) is used to ensure security in a software-defined wide area network (SD-WAN) environment, particularly in a cloud environment. SASE is often associated with the zero-trust model.
Recently, there was an attack on the network, but the team was unable to gather enough information to identify the attacker. If the attack happens again, then you want to have more time to gather information while it is still occurring. What should you implement?
A)Subnets
B)VLAN
C)Honeypot
D)Jump box
You should implement a honeypot. Honeypots are systems that are configured to be attractive to hackers and lure them into spending time attacking them while information is gathered about the attack.
Which of the following network architecture concepts consists of a Policy Engine, a Policy Administrator, and a Policy Enforcement point?
A)Hybrid
B)Zero-trust
C)Cloud
D)Secure Access Service Edge
Zero-trust architecture consists of a Policy Engine, a Policy Administrator, and a Policy Enforcement Point. The goal of zero trust is to continuously monitor the authentication and authorization of devices, users, and processes. The Policy Engine is responsible for granting or denying access based primarily on policy, but other factors can be taken into consideration. The Policy Administrator decides to open or close the communication path from the requestor to the resource, based on the decision of the Policy Engine. The Policy Enforcement Point establishes and terminates the connections.
Your team has recently become concerned with activity on unexpected ports. You need to display the current protocol statistics and port connections for Windows and UNIX/Linux computers. Which command should you use?
A)netstat
B)tracert
C)ping
D)nbtstat
Netstat (network statistics) is a TCP/IP utility that you can use to determine the computer’s inbound and outbound TCP/IP connections. Used without parameters, it displays a list of the current connections and their listening ports, including the protocol (TCP or UDP), local IP address and port, foreign IP address and port, and connection state.
When connections to unexpected ports are suspected, netstat can be used to identify the origin of any connections to the ports in question.
Newer versions of LINUX do not support netstat. In those versions, use the ss (socket statistics) command. To see all current TCP connections and their listening ports, you would run the ss – lt command, as shown below:
mcmillan@server69:~$ ss -lt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 :7080 :
LISTEN 0 128 :6032 *:
LISTEN 0 128 :http *:
LISTEN 0 128 :6033 *:
LISTEN 0 128 :6033 *:
LISTEN 0 128 :6033 *:
LISTEN 0 128 :6033 *:
LISTEN 0 128 :ssh *:
LISTEN 0 128 :https *:
LISTEN 0 128 :::ssh
:::
What is the syntax for NetBios Information?
Issuing nbtstat at a Windows command prompt will show NetBIOS information.
Tracert vs Traceroute
Issuing tracert at a Windows command prompt will trace the route a packet takes from the source computer to the destination host. Traceroute is the Linux equivalent of the tracert command.
Which of the following is NOT an open-source method of collecting threat intelligence?
A)social media
B)blogs/forums
C)paid feeds
D)government bulletins
While paid security feeds are valuable, they are not considered open source, rather they are considered closed source because they are not available to everyone at no cost. They are proprietary and paid, and therefore considered closed-source intelligence.
Social media sites, blogs, and forums can be used to gather threat intelligence, especially when steps have not been taken to keep the organization’s sensitive data off the social media site. Since these public sites are available to all, any information useful to an attacker that is gathered from these sources is open-source intelligence.
Blogs and forums can also be sources of threat intelligence when bloggers and forum writers reveal more than they should about an organization’s information. Since these sites are available to all, this is open-source intelligence.
Government bulletins are a good source of the details of the latest known attacks and attack approaches. Since these bulletins are available to all, this is open-source intelligence.
You are a cyber security consultant for your company. Developers are creating an e-commerce application with a trial version and a paid version. You must recommend a solution that will automatically update the user’s trial subscription to the paid version once the user makes the purchase and the payment is processed.
Which solution should you recommend?
A)Integrate webhooks that will update the user’s trial version to the premium version.
B)Integrate plugins that will update the user’s trial version to the premium version.
C)Integrate an API that will update the user’s trial version to the premium version.
D)Integrate applets that will update the user’s trial version to the premium version.
You should recommend integrating webhooks into the application that will automatically update the trial version to the paid version when the payment is successfully processed. The webhook will be triggered when the payment processor notifies the application that the payment is complete, and not in scenarios where the payment fails to process or the payment session times out.
API
An application programming interface (API) is a web service that enables your application to interact with a database, other applications, and other platforms. Your application can be your SaaS product or an e-commerce website. While an API can be used for functions such as displaying dynamic data in your application (in which the API is called to fetch the information from the database and display it) it cannot be used to upgrade pr update an application version.
PlugIns
Plugins are small reusable components or programs that can be added to your web applications for additional functionality. For example, when you add WordPress plugins to your WordPress website it enhances the web application’s functionality. In this scenario, plugins cannot be used to automate the subscription upgrade upon payment.
Applets
An applet is a small program that is coded to perform specific function in an application. Applets are mostly associated with Java programming language. Applets provides limited functionality and cannot be used to automate the subscription upgrade upon payment.
You have observed that your network has fended off breach attempts from the same IP address several times recently. Which of the following could you use to address the issue?
A)Strings
B)AbuseIPDB
C)VirusTotal
D)Joe Sandbox
AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the Internet by providing a central blacklist for webmasters, system administrators, and other interested parties to report and find IP addresses that have been associated with malicious activity online. Like the WHOIS database, which can be searched for DNS domains with a bad reputation for sending malicious traffic, AbusePBD reports on IP addresses and ranges of addresses with a bad reputation for engaging in hacking attempts or other malicious behavior.
Strings
Strings is a utility that searches an executable for ASCII and Unicode strings. It ignores context and formatting, so it can analyze any file type and detect strings across an entire file (although this also means that it may identify bytes of characters as strings when they are not).
Virus Total
VirusTotal checks the hash values of a suspect file against those in online and offline malware databases. Further examination is made easier as a result of this procedure, which reveals more about the code’s functioning and other important data.
Joes Sandbox
Joe Sandbox detects and analyzes potential malicious files and URLs on Windows, Android, macOS, Linux, and iOS for suspicious activities. It performs deep malware analysis and generates comprehensive and detailed analysis reports.
Which of the following is NOT a consideration when establishing the confidence level in the findings of a vulnerability scan?
A)accuracy of scan results
B)relevance of scan results
C)cost of scan results
D)timeliness of scan results
While it is true that security initiatives, such as a vulnerability scan, must create value that exceeds the cost, the cost of obtaining the scan results is not a consideration when establishing the confidence level in the findings.
The accuracy of the results is perhaps the most important consideration when establishing the confidence level. Inaccurate results can lead to wasted effort on noncritical issues, while more critical issues are left unaddressed.
The relevance of the results is also consideration when establishing the confidence level because in some cases results may indicate an issue that, while present, is irrelevant. For example, a missing patch for SQL Server is irrelevant when the organization uses Oracle.
Finally, the timeliness of the results is a consideration. Older data may be less valuable than more recent data because there is more time to react to a new issue, while it may be that nothing can be done about an older issue.
A recent attack was allowed to continue longer than it should have because the cybersecurity team was slowed by the need to locate and read the security logs on the infrastructure devices through which the attack flowed.
During the lessons learned meeting, mitigations for this problem were discussed. Which of the following would allow you to not only centralize the logs but also centralize their analysis for security issues?
A)SCADA
B)SIEM
C)Syslog
D)NetFlow
Security information and event management (SIEM) software can collect logs from specified devices, combine the logs, and analyze the combined logs for security issues. By doing so, they can identify attacks that would be more difficult to identify otherwise.
Which of the following is a system that has been isolated from the other systems and is used for analyzing suspicious files and messages for malware?
A)Honeypot
B)Sheep dip computer
C)Sandbox
D)Virtual machine
One option for studying malware is to set up a sheep dip computer. This is a system that has been isolated from the other systems and is used for analyzing suspicious files and messages for malware.
You are a cybersecurity analyst for your organization. You are in the process of implementing Security Orchestration Automation and Response (SOAR) tools that will collect data about security threats from various sources and respond to security incidents in an automated manner.
Which of the following statements is NOT true of a SOAR solution?
A)It creates a knowledge base and help organizations to avoid and deal with security threats.
B)It analyzes collected data, identifies patterns, and automatically assesses and triggers alerts for appropriate action and response.
C)It receives alerts about security incidents and responds to each incident.
D)It provides a fully automated workflow from alert validation through playbook activation.
A SOAR solution does not analyze collected data to identify patterns, then automatically assess and trigger alerts for action and response. These functions are performed by a Security Incident and Event Management (SIEM) solution. SIEM technology collects event log data from a range of sources, identifies activity that deviates from the norm with real-time analysis, and takes appropriate action.
What are the three components of SOAR?
SOAR is a software technology platform that enables organizations to collect relevant data about security threats and respond to security events with minimal human intervention. SOAR platforms combine three components:
Security orchestration
Security automation
Security response
What are the three capabilities of SOAR?
A SOAR solution has the following capabilities:
Provides a fully automated workflow from alert validation through playbook activation.
Creates a knowledge base and helps the organization avoid and manage security threats.
Receives alerts about security incidents and responds automatically to the incident.
SOAR helps organizations improve the efficiency and effectiveness of their security operations by?
SOAR provides advanced threat protection and acts as a vital component of security operations across various divisions of the organization. Organizations use SOAR to monitor threat investigations and responses, for security intelligence management, and for security operations center (SOC) optimization. SOAR helps organizations improve the efficiency and effectiveness of their security operations by:
Improving response time to security incidents
Facilitating the investigation process
Integrating disparate threat protection technologies into a unified dashboard
Minimizing the impact caused by attacks
Managing and reporting security threats
Visualizing meaningful information through dashboards
Reducing operating costs
SOAR vs SIEM
SOAR is designed to automate and orchestrate incident response processes, streamlining workflows and enabling faster responses to security incidents. Conversely, SIEM primarily focuses on collecting, analyzing, and correlating security event data to provide insights and detect threats in real-time.
Recently your network was attacked, and the attack had the following characteristics:
It appeared to be directed at your organization specifically.
It was carried out over a long period of time.
It appeared to originate from multiple sources.
The attack targeted specific assets.
The team is performing threat classification. Which of the following is the best description of this attack?
A)APT
B)passive
C)known
D)zero-day
The attack described has all the elements of an advanced persistent threat (APT). An APT is a hacking process that targets a specific entity and is carried out over a long period of time. In most cases, the victim of an APT is a large corporation or government entity. The attacker is usually a group of organized individuals or a hostile government.
In an APT, the attackers have a pre-defined objective, such as a specific asset belonging to your organization (including smartcard credentials, control of social media logins, a database of PII, and so on). Once the objective is met, the attacks stop. APTs can often be detected by monitoring logs and network performance metrics.
passive vs active attacks?
A passive attack is one in which the attacker only captures information but does not take any actions or send any data on the network. APT attacks are active attacks in which actions are taken by the attacker. However, APTs typically begin with passive reconnaissance.
A new addition was made recently to the secure part of the company website. Now, when new users are creating an account, they are prompted to identify the letters in a grainy graphic. What is this process called?
A)NAC
B)Jump box
C)CAPTCHA
D)SSO
A Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA) system uses a graphic, which is difficult for a bot to read but not a human, to ensure that bots (automated process used by hackers to create accounts) are not allowed to create accounts.
Which research source can help in discovering new vulnerabilities and potential threats in existing Internet standards?
A)TTPs
B)STIX
C)TAXII
D)RFCs
A Request for Comments (RFC) is often issued when a new technology or practice is suggested within the industry. It represents a call for peer review on the subject. RFCs are administered and issued by various bodies, among them the Internet Engineering Task Force (IETF) and the National Institutes of Standards and Technology (NIST).
TTP
TTP stands for tactics, techniques, and procedures and is a concept that is used to identify patterns of behavior that can be employed to defend against certain strategies and threat vectors utilized by malicious actors.
STIX
Structured Threat Information eXpression (STIX) defines a common language for discussion threat intelligence and serializes it into a coherent format. It is a tool for spreading information about vulnerabilities, and not a research source.
TAXII
TAXII stands for Trusted Automated eXchange of Indicator Information. It was designed to specifically support STIX by defining how cyber-threat information can be shared via services and message exchanges. STIX and TAXII are both tools for sharing research, not research sources.
An organization recently suffered a data breach. When the issue was investigated, the organization found that a disgruntled employee concealed product release dates within an image file he sent to someone else. What is this process called?
A)double tagging
B)masquerading
C)data exfiltration
D)steganography
Steganography is the process of removing some bits of information about a graphic and inserting data that you want to hide in place of the missing graphic information. This swapping does not typically have a noticeable effect on the graphic, but it allows the sender to hide data that can be extracted later via the same application used to insert it into the graphic. The best defense against steganography is to periodically scan PCs for questionable software. The presence of steganography software on any system should be prohibited unless it is specifically required for business purposes.
Double Tagging
This is not double tagging. Double tagging is an attack that allows a malicious individual to access a VLAN for which they are not a member. Double-tagging attacks can be prevented by keeping the native VLAN of the trunk ports different from the user VLANs.
Masquerade
This is not masquerading. Masquerading is when a single public IP address is used by all interior devices when accessing the Internet. This is done by deploying Network Address Translation (NAT). It is called NAT because none of the devices will reveal their private IP address to the outside world.
Several of the systems you manage are displaying odd behavior. You are trying to determine if the issue is host-related or application-related. Which of the following is a host-related issue?
A)anomalous activity
B)introduction of new accounts
C)unexpected output
D)registry changes
Changes to the registry or anomalies in the registry settings is a host-related issue, as these settings affect the entire system.
What behaviours are deemed odd when it comes to applications?
Anomalous activity, such as an application shutting down unexpectedly, is an application-related issue.
When new accounts for an application appear, it is an application-related issue. It is also an indication of a serious security issue, as adding accounts probably requires administrator rights.
When a program begins to display unexpected output, such as a strange new dialog box, it is an indication of an application-related security issue. In many cases this is an indication that a malware infection has occurred.
Your company needs to ensure that all devices connecting to the network are prevented from introducing malware and other vulnerabilities into the network. This includes deploying patch management for systems and applications and hardening systems. What technique are you implementing?
A)System isolation
B)Endpoint security
C)Network segmentation
D)Sinkholes
You are implementing endpoint security. Endpoint security involves protecting the endpoints (workstations, printers, and so on) in the network, including protecting them from other endpoints that spend at least some of the time outside the LAN. This is done by verifying patches and updates before the device is allowed access to the network. Endpoint security also includes the process of hardening endpoints.
Sinkhole
You are not implementing a sinkhole. A sinkhole is a routing mechanism that can route traffic from a device being flooded to a location where the traffic can be studied.
Upon returning from a security seminar, the CEO is very concerned about social engineering attacks. Which of the following is NOT a social engineering attack?
A)dumpster diving
B)obfuscated links
C)SYN floods
D)piggybacking
A SYN flood is a denial-of-service (DoS) attack that originates from outside the network. It has nothing to do with social engineering.
You are investigating the symptoms displayed by a device in your network. The system is experiencing very high consumption of bandwidth during a time when there should not be a heavy workload on the device. Which issue is the most likely cause?
A)buffer overflow
B)rogue devices
C)ping sweep
D)DoS attack
While all of these issues should be a concern, when heavy bandwidth consumption is detected in the network the most likely cause is a denial-of-service (DoS) attack. High bandwidth usage is the key symptom of a DoS attack. The best course of action is to identify the source of the traffic and block it at the firewall. Going forward, you should prevent all traffic from outside the network that uses a source address that is a private address, keep all anti-malware up to date, and ensure that users are trained in safe practices.
What are the symptoms become unavailable?
A buffer overflow would not typically cause a surge in bandwidth usage. When these attacks occur, the device usually crashes. A symptom of buffer overflow is a device suddenly becoming unavailable. If this occurs, then all web applications in the device should be checked for proper input validation.
A buffer overflow attack typically involves violating programming languages and overwriting the bounds of the buffers they exist on. Most buffer overflows are caused by the combination of manipulating memory and mistaken assumptions around the composition or size of data.
Which process allows you to deploy, configure, and manage data centers through scripts?
A)Waterfall
B)IaC
C)Agile
D)Immutable systems
E)Baselining
Infrastructure as code (IaC) is the process of using definition and configuration files to provision and manage data centers. Automating this process through scripts can ensure that there is more control and less opportunity for error when deploying servers, as compared with manual configuration. IaC is the foundation for Secure DevOps. Secure Development Operations (Secure DevOps) means that security is built into all your development operations.
Water Fall
Waterfall is a development framework that uses tightly defined processes that are executed in a linear sequence.
Agile
Agile is a cyclical methodology where development phases are iterative, and each cycle moves the project a little closer to the final product.
Immutable
Immutable systems are those where the configuration is static and may not be changed.
Which of the following is NOT associated with public key infrastructure (PKI)?
A)Certificate store
B)Registration authority
C)Certificate authority
D)Single sign-on
Single sign-on (SSO) is not associated with PKI. It is a process that allows users to log on once to the network and thereafter not be required to issue another password to access resources.
Certificate authority (CA) is an element of PKI. The CA validates the entities identified in the certificate.
The registration authority (RA) authorizes certificates. The RA validates the user request for a certificate and directs the CA to issue the certificate.
The certificate store is used by applications running on a system to retrieve stored certificates, certificate trust lists, and certificate revocation lists.
Another element of PKI is the certificate database. This database stores information about the certificate, as well as the validity status and the validity period.
Your company has engaged with a threat intelligence sharing organization. In which of the following areas would you identify and share your controls chosen to address issues?
A)vulnerability management
B)security engineering
C)incident response
D)detection and monitoring
E)risk management
Part of risk management is identifying mitigations, called controls, to address issues. Examples of the types of controls are:
Preventative controls: controls that stop something from occurring, such as locks.
Managerial controls: controls that specify acceptable practices within an organization, such as acceptable use policies.
Corrective controls: controls put in place to reduce the effect of an attack or other undesirable event, such as backups.
Which of the following vulnerabilities is characterized by a user modifying a browser’s security settings to make it more convenient to visit websites?
A)Misconfiguration/weak configuration
B)Improper input handling
C)Improper error handling
D)Default configuration
If a user modifies a browser’s security settings to make it more convenient to visit websites, such as turning off pop-up blockers and anti-phishing controls, this is an example of a weak configuration. Misconfiguration and weak configurations can have a severe impact on the entire organization. Misconfiguration, such as not changing the default administrative user name or password, can also have a significant impact.
improper error checking
Improper error handling could allow an attacker to crash a program. Error checking should be built into every module or code function. An error should not result in a crashed application but rather generate an error message. Systems and components, such as routers, should never be deployed with the default configuration enabled. As an example, many small office/home office (SOHO) users are thrilled that they got their new wireless network to finally communicate “out of the box.” As a result, they do not change the default administrator information, leaving their network wide open for attack.
Which of the following provides extra layers of security for administrator accounts and service accounts?
A)Passwordless
B)Federation
C)Privileged access management
D)Cloud access security broker
Privileged access management (PAM) is a process that provides extra protection for roles above the level of regular users, such as an administrator or a service account. If an account that is assigned special access is compromised, that breach can have a more significant impact than a breach of a regular user’s account.
Which of the following has Firewall as a Service (FWaaS) as a component?
A)Network segmentation
B)Secure Access Service Edge
C)Software-defined networking
D)On-premises
Secure Access Service Edge (SASE) has Firewall as a Service (FWaaS) as one of its components. Other components include secure web gateways (SWG), a cloud access security broker (CASB), and zero trust network access (ZTNA). SASE is used to ensure security in a software-defined wide area network (SD-WAN) environment, particularly in a cloud environment. SASE is often associated with the zero-trust model.
SDN
Software-defined networking (SDN) allows for dynamic reconfiguration of a network as a reaction to changes in volume, types of traffic, and security incidents.
You are assembling tools that you need in your job as a security analyst. You must include a forensic suite tool. Which of the following will satisfy this requirement?
A)DD
B)Burp Suite
C)FTK
D)ZAP
FTK will satisfy the requirement of needing a forensic suite tool.
Burp Suite and Zed Attack Proxy (ZAP) are interception proxy tools. Another interception proxy tool is Vega.
DD is an imaging tool. While this type of tool is considered a forensics tool, it does not provide a forensic suite because it performs only one function, which is imaging.
Preventive tools
Preventative – includes tools that provide intrusion prevention system (IPS), firewall, antivirus, anti-malware, Enhanced Mitigation Experience Toolkit (EMET), web proxy, and web application firewall services.
Collective tools
Collective – includes tools that provide network scanning, vulnerability scanning, security information and event management (SIEM), packet capture, and intrusion detection system (IDS) services.
Analytical Tools
Analytical – includes tools that provide vulnerability scanning, monitoring, and interception proxy services.
Exploit tools
Exploit – includes tools that provide interception proxy, exploit frameworks, and fuzzer services.
Forensic Tools
Forensics – includes tools that provide forensics, hashing, password cracking, and imaging services.
Your team has begun using user behavior analysis to identify potential malicious activity. Which of the following is NOT an example of behavior that might be uncovered using this technique?
A)communication attempts from unusual geographic locations
B)editing of user groups
C)user activity at odd hours
D)breaking the key on a hashed password
User behavior analysis and analytics will be of no help when a hacker breaks the key to a hashed password, which is one that has had a message digest value generated using a hashing algorithm like SHA. If the message digest value is identified, the hacker will be able to identify the password. You cannot directly turn a hashed value into the password, but you can work out what the password is if you continually generate hashes from passwords until you find one that matches.
Any abnormal user behavior can be evidence of a system compromise. Examples include:
Editing of user groups or other abnormal account activity
Communication attempts from unusual geographic locations or impossible travel
User activity at odd hours
You are a cyber security consultant in your company. You are educating developers regarding the use of webhooks when developing applications.
Which of the following scenarios would not be a suitable use for webhooks?
A)Automatically forwarding customer payments from an e-commerce platform to the accounting department
B)Deleting or updating data on other systems or databases.
C)Sending an email to a developer to request a fix for a non-urgent issue.
D)Notifying the customer support team when customers raise a payment dispute
Webhooks would not be suitable for deleting or updating data on other systems or databases. An API is the interface of the application that permits other programs or applications to request, input, delete, or update data in the application. A webhook uses an HTTP POST message to communicate from one application’s API to another application’s API. The communication is triggered in response to a user-defined event that occurs in the webhook’s application.
APIs and webhooks are used to accomplish similar goals, but in different ways. While APIs programmatically direct an entity to create an order, webhooks inform an API that an event has occurred. The message is used to trigger an action in response, such as sending an email or creating a calendar event.
What scenarios that webhooks are suitable for?
Webhooks are suitable in number of scenarios, which include but are not limited to:
Notifying the customer support team when customers raise a payment dispute.
Automatically sending invoices to accounting department after customers pay via an e-commerce platform.
Sending an email to a developer to request a fix for a non-urgent issue.
Webhooks are used to automate workflows. Other real-world scenarios where webhooks can be used would include:
Notifying an agent in a chat application when a query is sent in the chatbot engine.
Automatically sending an email to a marketing team via customer relationship management (CRM) software when a customer makes a purchase or exits a shopping cart without buying.
Receiving automatic email reminder notifications from your calendar application on your phone.
Automatically uploading photos from one social media platform to another, such as from Instagram to Twitter.
Which of the following are NOT examples of open-source threat intelligence? (Choose all that apply.)
A)deep/dark web
B)US-CERT
C)commercial threat data feeds
D)OWASP
E)internal cybersecurity response team
Commercial (private) threat data feeds are a good source of threat intelligence, but they are not considered open source because they are only available to paid partners. Threat intelligence can also sometimes be obtained from internal sources such as the organization’s cybersecurity response team, but these are not considered open source because they are not available to all.
You are in the process of completing final documentation of an incident investigation. You are classifying all of the symptoms exhibited during the incident. One of the symptoms of the target machine was unusually high memory consumption. Which of the following incident types could cause this condition?
A)malware
B)privilege escalation
C)data exfiltration
D)dictionary attack
High memory consumption is considered a host-related symptom. It typically indicates the presence of malware. Host-related symptoms are those related to use of resources on the host that will be recorded in the local logs of a device. Unusual processor or memory consumption could be determined by using a resource monitor on the device. If either of these symptoms occur, then you should suspect a malicious process is using the processing resources or memory. The best course of action is to scan the device for malware.
Common host-related symptoms include unusual processing consumption, memory consumption, or drive capacity consumption; unauthorized software and malicious processes; unauthorized changes and privileges; and data exfiltration.
Issues with drive capacity consumption could also be determined by using a resource monitor on the device. When this symptom occurs, you should suspect that some malicious process is filling the drive as part of a DoS attack. Again, the best course of action is to scan the device for malware.
Unauthorized software could be detected with a vulnerability scan that identifies unauthorized software. When discovered, you should suspect that a malicious individual has compromised the device, even if the unauthorized software is not classified as malware. Some legitimate third-party software has known vulnerabilities that put your entire network at risk if it is installed. The best course of action is to re-image the device using the latest snapshot, if available. To ensure security, you should use a policy that prevents the installation of unauthorized software and ensure that users are trained in safe practices.
Malicious processes could be detected by using a tool like Process Explorer. You should suspect the presence of malware if you notice unusual processor, memory, or drive capacity usage on a host. The best course of action is to scan the device using anti-malware software. If you are unable to remove the malicious software, you should re-image the device using the latest snapshot, if available, and ensure that anti-malware programs are kept up to date.
Unauthorized changes could be discovered by performing a compliance scan in which the current device settings are compared to a baseline. When it occurs, you should suspect that the device has been compromised. You should attempt to restore the device to the correct settings and remove any unauthorized permissions that have been granted. You may need to re-image the device using the latest snapshot, if available. Ensure that users are trained in safe practices and that user accounts are hardened against privilege escalation.
The general recommendation for all host-related attacks is to keep anti-malware up to date and ensure that all users are trained in safe practices.
The team is analyzing IoCs and categorizing them by their source. Which of the following is NOT an example of a host-related IoC?
A)abnormal operating system behavior
B)file system changes or anomalies
C)unauthorized scheduled tasks
D)registry changes or anomalies
E)unusual traffic spikes
Unusual traffic spikes is a network-related indicator of compromise (IoC). It can indicate a denial-of-service (DoS) attack is underway.
Abnormal operating system behavior, such as an unexpected reboot, is a host-related IoC.
File system changes made in an unauthorized manner and system anomalies (actions taken by the system that are statistically unusual as determined by an algorithm) are host-related IoCs.
Unauthorized changes to the registry settings or settings that are statistically unusual as determined by an algorithm (registry anomalies) can indicate either malicious changes or mistakes in configuration. This is also considered a host-based IoC.
Unauthorized scheduled tasks are automated operations that have been configured by an unauthorized individual. While scheduling tasks is a function that can be quite helpful in taking care of mundane and repetitive maintenance tasks, when they are configured by an unauthorized person, it is a host-related IoC.
Which protocol, or logical design could you implement in your network to ensure that events logged from multiple devices have the correct time synchronization?
A)NTP
B)SASE
C)SDN
D)MFA
A Network Time Protocol (NTP) server allows devices to synchronize their clocks using a common source. Accurate time synchronization is important to corroborate events and to follow the sequence of events that occurred in an attack.
Recently there was a DoS attack on one of the servers, which succeeded in taking the server down for three hours. You would like to deploy a solution that would allow you to detect a huge rush of traffic to a specific device and route it somewhere away from the device. What technique could you use?
A)Network segmentation
B)System isolation
C)Endpoint security
D)Sinkholes
You could use a sinkhole. A sinkhole is a routing mechanism that can route traffic from a device being flooded to a location where the traffic can be studied.
After a recent DoS attack, you discovered that one of your internal devices that can be reached externally has command and control software installed on it that allows it to send instructions to other devices in your network. What type of arrangement is this called?
A)sinkhole
B)honeypot
C)peer-to-peer botnet
D)rogue device
In a peer-to-peer botnet, devices that can be reached externally are compromised and installed with server software that makes them command and control (C&C) servers. The compromised devices then carry out attacks. The best course of action is to identify whether a botnet is present, and if so, to check ALL devices for malware.
If you discover a case of illegal peer-to-peer software, then ensure that devices are scanned for unauthorized software on a regular basis. You should also keep all anti-malware programs up to date and ensure that users are trained in safe practices.
This is not a rogue device because it is a known device being managed. Rogue devices by definition are unknown and unmanaged.
This is not a sinkhole. A sinkhole is a target to which hostile traffic can be directed that provides an appropriate place to analyze the traffic.
This is not honeypot. A honeypot is a device made to be attractive to hackers and designed to engage them so that evidence can be gathered about them.
Which of the following decrypts and opens incoming encrypted traffic, examines the contents for threats, and, providing there are no issues, re-encrypts the traffic for delivery?
A)Cloud access security broker
B)Public key infrastructure
C)Zero trust
D)Secure sockets layer (SSL) inspection
Secure sockets layer (SSL) inspection decrypts and opens incoming encrypted traffic, examines the contents for threats, and, providing there are no issues, re-encrypts the traffic for delivery.
Which of the following divides the network at Layer 2 or Layer 3 to create security barriers in the network?
A)Cloud
B)Network segmentation
C)Software-defined networking
D)Zero trust
Network segmentation involves dividing the network at either Layer 2 or Layer 3 to create desirable security barriers between devices in the network. It cannot route traffic from a device being flooded to a location where the traffic can be studied.
Of the choices below, what would you find in the /etc/ directory?
A)System processes
B)Linux configuration files
C)Windows registry
D)Containerization
You would find Linux configuration files in the /etc/ directory. In Linux, each application and process has its own configuration file. The Linux file structure uses the /etc/ directory for configuration file locations.
Your team recently suffered several attacks that leveraged the use of programming and scripting languages. They are investigating these languages. Which of the following is a lightweight formatted script designed for data transfer in which data is represented in name/value pairs separated by a comma?
A)XML
B)Python
C)PowerShell
D)JavaScript Object Notification (JSON)
JSON is an open standard file and data interchange format that uses human-readable text to store and transmit data objects consisting of attribute-value pairs and arrays.
XML
Extensible Markup Language (XML) is a markup language and file format for storing, transmitting, and reconstructing data. It makes use of tags to delimit elements.
Python
Python is a programming language that uses new lines to complete a command, as opposed to other programming languages which often use semicolons or parentheses.
PowerShell
PowerShell is an object-oriented automation engine and scripting language that features an interactive command-line shell that operates within Microsoft Windows. PowerShell was developed to help IT professionals configure systems and automate administrative tasks on Windows machines. Unlike other command-line shells that are based on text, PowerShell works with objects instead.
You are exploring the attack surface of a Windows 10 host. Which scripting environment is an automation standard for modern Windows systems?
A)VBA
B)Java
C)Bash
D)PowerShell
You are exploring the attack surface of a Windows 10 host. Which scripting environment is an automation standard for modern Windows systems?
A)VBA
B)Java
C)Bash
D)PowerShell
Bash
Bash (Bourne-Again Shell) is a common built-in command-line shell for UNIX and Linux systems.
Java
Java is a class-based, object-oriented programming language that is designed to have as few implementation dependencies as possible. It is a general-purpose programming language.
VBA
Office Visual Basic for Applications (VBA) is an event-driven programming language that enables you to extend Office applications.
The team is using a tool to search for IoCs in a script. Which of the following is a sequence of characters that can be used to specify a match pattern in text?
A)the # character
B)XML
C)regular expressions
D)JSON
Regular expressions are sequences of characters that specify match patterns in text. While the use of regular expressions is somewhat complicated, the following regular expressions examples will execute a search as indicated:
a {5} will match “aaaaa”
n {3} will match “nnn”
[a-z] {4} will match any four-letter word such as “door”, “room” or “book”
[a-z] {6,} will match any word with six or more letters
Extensible Markup Language (XML) is a markup language and file format for storing, transmitting, and reconstructing data. It makes use of tags to delimit elements.
The # character is used in JSON to indicate comments, which are ignored by the shell. They begin with the hash symbol (#) and continue until the end of the line.
JSON is an open standard file and data interchange format that uses human-readable text to store and transmit data objects consisting of attribute-value pairs and arrays.
While performing a regular analysis of the firewall log, you discover that there is traffic leaving your network at regular intervals from the same device to the same destination. What is this type of traffic called?
A)ping sweep
B)probe request
C)peer-to-peer
D)beaconing
Beaconing refers to traffic that leaves your network at regular intervals. This type of traffic could be generated by compromised hosts that are attempting to communicate with (or call home to) the malicious party that compromised the host. The compromised hosts do this in response to the command and control software that is running on the hacker’s device. The best course of action is to identify the destination of the traffic and block it at the firewall. Beaconing indicates some sort of malware or compromise is present, so the best course of action is to remove all malware, and if the device still does not function properly after the malware removal, then re-image the device. You should also keep all anti-malware up to date and ensure that users are trained in safe practices.
This is not a ping sweep. A ping sweep would touch the device only once. Ping sweeps use ICMP to identify all live hosts by pinging all IP addresses in the known network. All devices that answer the ping are known to be up and running. The symptoms of this attack are unusual spikes in network traffic. These sweeps can be detected by intrusion detection systems (IDS) and intrusion prevention systems (IPS). They indicate an attempt to map your network. The best course of action is to identify the source of the sweeps. Going forward, you should also deploy an IPS or IDS, if not already present.
This is not a probe request. The device would not send these at regular intervals. That is a wireless transmission sent by a wireless station to associate with a WLAN that is not advertising its SSID.
This is not peer-to-peer traffic. Peer-to-peer traffic occurs between peers within your network or with hosts outside the network. This traffic would not be at regular intervals.
Your syslogs have too many entries, and it is difficult to isolate security events that require immediate attention. Which of the following logging levels would you want to exclude in order to fine-tune log ingestion?
A)Alert
B)Critical
C)Emergency
D)Notice
You would want to exclude the Notice logging level. Notice is used for events that are classified as informational and would not normally raise a security concern.
Logging levels are classifications that indicate the severity or urgency of the logged event. Common logging levels include Emergency, Alert, Critical, Error, Warning, Notice, and Debug. Log ingestion is the process of aggregating the logs collected from various devices across the network.
An Emergency logging level would indicate a critical system failure, which you would want to see in a syslog.
An Alert logging level would indicate a potential security threat.
A Critical logging level would indicate a serious system error.
Which of the following is NOT an example of active defense?
A)dynamically changing network topologies
B)honeypots
C)rotating IP addresses
D)encrypting data at rest
Encrypting data at rest is not considered an active defense. An active defense either changes something in reaction to an indicator of compromise (IoC) or presents an immediate challenge or distraction to the IoC.
Rotating IP addresses for sensitive assets is a form of active defense and is designed to make it more difficult to fingerprint a system, which includes capturing its IP addresses.
Dynamically changing the network topologies in response to the appearance of an IoC is a form of active defense. For example, a router might respond to the appearance of an IoC by shutting down an interface and placing a new route in the routing table, thereby routing traffic around the area where the IoC was detected.
A honeypot is a network device made to be attractive to hackers and designed to engage them so that evidence can be gathered about their methods and avenues of attack.
The team has isolated a piece of unusual software and is attempting to use a decompiler on it. What operations are they performing?
A)Salting
B)Decomposition
C)Hashing
D)Fingerprinting
One method of decomposing software is to use a decompiler to reconstruct the high-level code of the source language. Then it can be analyzed by one who understands the source code.
Nessus
The tool displayed is Nessus, a widely used vulnerability scanner. It shows the vulnerabilities found by the tool and color-codes them by severity, as shown on the graphic.
Metasploit
The Metasploit tool is used to mount various types of attacks
During which of the following IoC-handling processes would the assistance of NIST Special Publication 800-61 be invaluable?
A)application
B)collection
C)all of these processes
D)analysis
National Institute of Standards and Technology (NIST) Special Publication 800-61 provides guidelines for all stages of handling Indicators of Compromise (IoC), including collection, analysis, and application.
You suspect that a device has been compromised and is communicating with a remote C&C server. Which of the following symptoms would be indicative of this?
A)The device is suddenly unavailable
B)Traffic leaving your network at regular intervals from the same device to the same destination
C)An usually high number of ping requests to multiple hosts on your network within a short time frame
D)An unusual spike in network traffic
The activity described is called beaconing. Beaconing refers to traffic leaving your network at regular intervals from the same device to the same destination. This type of traffic could be generated by compromised hosts that are attempting to communicate with (or call home to) the malicious party that compromised the host. Hosts attempt to communicate with what is called a command and control (C&C) server. The best course of action is to first identify the destination of the traffic and block it at the firewall. It indicates some sort of malware or compromise so you should also remove all malware. If the device still does not function properly after the malware removal, then re-image the device. You should also keep all anti-malware up to date and ensure that users are trained in safe practices.
How can Ping sweeps be detected?
IPS and IDS
After a security breach occurred this morning, the cyber team is trying to identify all network-related symptoms of the event. Which of the following is NOT a network-related symptom of an attack?
A)Scan sweeps
B)Rogue devices on the network
C)Bandwidth consumption
D)Malicious processes
The presence of malicious processes is a host-related symptom, not a network-related symptom. Common network-related symptoms of incidents are bandwidth consumption, beaconing, irregular peer-to-peer communication, rogue devices on the network, scan sweeps, and atypical traffic spikes.
Malicious processes are located on devices, and thus are considered a host-related symptom. Common host-related symptoms include unusual processing consumption, memory consumption, or drive capacity consumption; unauthorized software and malicious processes; unauthorized changes and privileges; and data exfiltration. The general recommendation for all host-related attacks is to keep anti-malware up to date and ensure that all users are trained in safe practices.
Unusual processor or memory consumption could be determined by using a resource monitor on the device. If either of these symptoms occurs, you should suspect a malicious process is using the processing resources or memory. The best course of action is to scan the device for malware.
Issues with drive capacity consumption could also be determined by using a resource monitor on the device. When this symptom occurs, you should suspect that some malicious process is filling the drive as part of a DoS attack. Again, the best course of action is to scan the device for malware.
Unauthorized software could be detected with a vulnerability scan that identifies unauthorized software. When discovered, you should suspect that a malicious individual has compromised the device, even if the unauthorized software is not classified as malware. Some legitimate third-party software has known vulnerabilities that put your entire network at risk if it is installed. The best course of action is to re-image the device using the latest snapshot, if available. To ensure security, you should use a policy that prevents the installation of unauthorized software and ensure that users are trained in safe practices.
Malicious processes could be detected using a tool like Process Explorer. You should suspect the presence of malware if you notice unusual processor, memory, or drive capacity usage on a host. The best course of action is to scan the device using anti-malware software. If you are unable to remove the malicious software, then you should re-image the device using the latest snapshot, if available, and ensure that anti-malware programs are kept up to date.
Unauthorized changes could be discovered by performing a compliance scan in which the current device settings are compared to a baseline. When it occurs, you should suspect that the device has been compromised. You should attempt to restore the device to the correct settings and remove any unauthorized permissions that have been granted. You may need to re-image the device using the latest snapshot, if available. Ensure that users are trained in safe practices and that user accounts are hardened against privilege escalation.
Unauthorized privileges could be discovered by examining the event log to determine which users are performing these privileged acts. If the user can be identified, then disciplinary action should be taken. If not, then the best course of action is to scan the device for malware and for compliance to the baseline. Ensure that users are trained in safe practices and that user accounts are hardened against privilege escalation.
Data exfiltration can be discovered with DLP software, if present. If not, then data exfiltration may be discovered only when it falls into the wrong hands. The best course of action is to identify the source of the disclosure, if possible, and then take disciplinary action and employ a DLP solution in the enterprise.
You are an information security analyst for your company. You have been asked to identify IT business functions where tasks or processes could be automated to increase the speed and effectiveness of your team’s response to security incidents.
Which of the following processes should you evaluate as candidates for automation? (Choose all that apply.)
A)Processes that correspond to your identified threat models
B)Frequently executed processes
C)Processes that take a long time to execute
D)Processes that require human intervention
E)Rarely executed processes
F)Processes in a security response playbook
G)Processes that do not require human intervention
H)Processes that involve business-critical systems
You would evaluate the following processes to verify whether they are suitable for automation:
Frequently executed processes
Processes in a security response playbook
Processes that do not require human intervention
Processes that correspond to relevant threat models
Repeated and repeatable tasks that are frequently executed in the same way using the same parameters are strong candidates for automation. The benefit of automating these tasks is the amount of human time and attention freed up for other duties, such as threat analysis. You would not automate rarely executed processes because doing so would not be a net gain of efficiency in operations.
Processes in a security playbook and processes that correspond to relevant threat models should also be automated where feasible. These processes have already been identified as best practices for the team to follow in response to specific types of incidents. Automated threat detection and response can both increase the speed of incident discovery and halt a threat before it has time to advance further than the perimeter of the attack surface.
Processes that do NOT require human intervention, such as continually monitoring the status of all endpoints connected to a secure internal network, are also best suited for automation. For example, if an unknown device is discovered, automated processes can alert a human technician and send all related telemetry data for analysis.
Finally, processes that correspond to threat models identified as relevant to your organization should be evaluated for automation. While other types of IT-related processes can be automated, doing so will not improve overall security operations.
Cybersecurity will always require human engagement, and you would not look to automate tasks that require human judgement or intervention. However, you would always want to automate tasks to provide the human analysts with supporting information regarding any alert or incident, such as automatically finding the GPS location of a mobile device being used for a suspicious login.
Whether a process involves a business-critical system or takes a long time to execute does not factor into how suitable it is for automation.
Which concept allows customers of different cell phone services to communicate with each other?
A)Privileged access management
B)Multi-factor authentication
C)Single sign-on
D)Federation
Federation allows customers of different cell phone services to communicate with each other. While each network has its own infrastructure, devices such as routers and gateways as well as network services are uniformly configured to a common standard. In general, federation allows members of disparate networks to communicate with each other.
You have several SQL servers that were recently brought down by a DDoS attack. The attack was never detected by your signature-based IPS. When you received support from your vendor, you were told that the attack used an approach that was never seen before. What type of attack did you suffer?
A)known
B)zero-day
C)passive
D)APT
A zero-day attack is one discovered in live environments for which no current fix or patch exists, as in this case.
You have several servers to which you would like access to be possible only from a designated administrative workstation. Which of the following should you deploy?
A)Honeypot
B)VLAN
C)Jump box
D)Subnet
You should deploy a jump box. A jump server or jump box is a server that is used to access devices that have been placed in a secure network zone, such as a perimeter network (formerly referred to in documentation as a DMZ). The server would span the two networks to provide access from an administrative desktop to the managed device.
You need to control access to a server in your network to ensure that only authorized computers and devices are able to communicate with it. You need certain devices that are members of the same Microsoft domain to access the server while ensuring that other devices do not. You need to implement the appropriate configuration to allow a few non-domain devices to authentication and connect with the server.
Which concept is this, and what configuration is needed to make it happen?
A)Perimeter network, exception
B)System isolation, exception
C)Extranet, exception
D)Perimeter network, acknowledgement
This is an example of system isolation; in this case, it is Microsoft server isolation. The configuration required to allow the non-domain devices to be able to authenticate and connect with the server is called an exception.
Systems can be isolated from other systems through the control of communications with the device. By leveraging group policy settings, you can require that all communication with isolated servers must be authenticated and protected by using IPsec (and optionally encrypted as well). As group policy settings can only be applied to computers that are domain members, devices that are not domain members must be specified as exceptions to the rules controlling access to the device if they need access.
While it is true that entre networks can also be isolated from the network in general, this is not a perimeter network, and an acknowledgement is used on an intrusion detection system (IDS) to indicate that it has detected devices that are already known. A perimeter network is a network logically separate from the intranet where resources that will be accessed from the outside world are made available without requiring authentication. This type of network was previously referred to as a demilitarized zone (DMZ), but this term is no longer in common use.
This is also not a perimeter network with an exception. Exceptions are used with server isolation, not with perimeter networks.
This is not an extranet. An extranet contains resources available only to certain entities from the outside world through access that is secured with authentication. Exceptions are used with server isolation but not with extranets.
Over the weekend, several servers began to suffer from a variety of issues. Which of the following is NOT an application-related issue?
A)service interruption
B)any issue with a reference in the Application log in Windows Event Viewer
C)file system changes
D)unexpected outbound communication
Changes to the file system is a host-related issue, as it will affect the entire system.
An unexpected outbound communication is an application-related issue. In many cases, it is an attempt by a malicious backdoor to call home to the hacker.
A service interruption is an application-related issue, and only involves the interruption of that service.
Any time an issue is reported to the Application log in Windows Event Viewer, it is an application-related issue. This log is maintained by Windows systems and records when something occurs within (or affects) the application. Examples of logged events would include:
Memory leaks
Non-existent path errors
Unhandled exceptions in the code
A system crash
Which type of threat involves a highly skilled group of attackers who keep their presence hidden so that they can continually exploit their targets?
A)Insider threat
B)Shadow IT
C)DoS
D)APT
Advanced persistent threats (APTs) are prolonged strategic attacks that hackers try to keep hidden so that they can continually exploit their targets. They are usually sourced from hostile nation-states and have high-profile targets, including national infrastructure and the military.
You and the other members of your team are discussing the benefits and risks of a cloud environment versus an on-premises environment, and the discussion turns to security. Which statement is NOT true regarding cloud security?
A)Malicious behavior by insiders may compromise data.
B)Co-locations create a larger attack surface.
C)There is ambiguous responsibility.
D)It is easier to control administrative access.
Controlling administrative access is MORE difficult in a cloud environment because access is provided through the Internet, eliminating the physical security and perimeter security provided in the on-premises environment
It is true that insiders with the provider may cause issues due to the rights they have working in your support.
It is true that with the responsibility split between the provider and the tenant, gaps in securing the solution may appear.
It is true that co-locations create a larger attack surface. In this scenario, you are sharing the virtual environment and there is more danger from other tenants, which is an issue that does not exist in on-premises environments.
The threat hunting team is attempting to identify business-critical assets and processes. Which of the following would be the LEAST likely to be identified as such?
A)guest Internet access
B)commerce server
C)company chat service
D)DNS server
Guest Internet access would be classified as non-critical business assets and processes because its loss would have very little, if any, impact on the ability to continue to operate normally.
Loss of the DNS server would bring the entire network down shortly after its loss. DNS services are required to access any asset, locally or remotely, by its name rather than its IP address.
Loss of the commerce server will spell a loss of income during the time it is down and damage to the organization’s reputation if it is an extended outage.
While the company chat server is not typically considered one of the business-critical assets and processes, as compared to guest Internet access, it would be considered more important as it provides a form of communication that could be a backup if email is down.
In which of the following scenarios would the ability to interpret suspicious commands be helpful?
A)when an attacker alters an email header to obscure the sender
B)when an attacker accesses a shell
C)when an email-based attack uses embedded and malicious links
D)when an attacker compromises the DNS system
When an attacker is able to install a shell (also called dropping a shell), they will be able to access a command line interface to the system. In this scenario, one’s ability to interpret any strange commands they may have entered and executed may help to identify exactly what the attacker did or was attempting to do.
Email Based attack?
An email-based attack uses embedded and malicious links in an email. While training users not to click any hyperlinks in incoming emails is one solution, you can go a step further and disable hyperlinks in emails.
What can you use when an attacker obscure the header?
When an attacker alters an email header to obscure the sender and perform impersonation, a solution would be to implement DomainKeys Identified Mail (DKIM), an email authentication method designed to detect forged sender addresses in email (email spoofing), a technique often used in phishing and email spam.
What can you use a DNS system for email attacks?
When an attacker compromises the DNS system, a solution would be to implement Domain-based Message Authentication, Reporting, and Conformance (DMARC).
When a DMARC DNS entry is published, any receiving email server can authenticate the incoming email, preventing a delivery based on an altered header.
DMARC extends two email authentication mechanisms: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows the administrative owner of a domain to publish a policy in their DNS records to specify how to check the From: field presented to end users.
