CASP Flashcards
1
Q
What is ISO 31000
A
A risk management framework.
2
Q
What type of risk can you not eliminate?
A
Residual risk
3
Q
What is residual risk?
A
Risk you cannot eliminate.
4
Q
What are two ways to measure risk?
A
Qualitative and quantitative.
5
Q
Which risk response is also included when risk mitigation is performed?
A
Acceptance
6
Q
What describes the probability of a threat being realized?
A
Likelihood
7
Q
What describes the amount of loss during a one year timespan?
A
ALE
8
Q
What is risk appetite?
A
An assessment of what level of residual risk is tolerable.
9
Q
What describes the amount of residual risk that is tolerable to the organization?
A
Risk appetite.
10
Q
What are the core functions of the NIST CSF?
A
NIST Cybersecurity Framework
Identify Protect Detect Respond Recover
11
Q
What are the required steps of the NIST RMF?
A
NIST Risk Management Framework Steps:
Prepare Categorize Select Implement Assess Authorize Monitor
12
Q
What are the steps of the risk management life cycle?
A
Risk Management Lifecycle:
Identify
Assess
Control
Review
13
Q
What is risk tolerance?
A
The thresholds that separate different levels of risk.
14
Q
Identify a popular risk framework.
A
NIST 800-37
COBIT
COSO
ISO 31000
15
Q
What phase of the risk management life cycle identifies effective means by which identified risks can be reduce?
A
Control
16
Q
What phase of the risk management life cycle identifies risk items?
A
Identify
17
Q
What phase of the risk management life cycle determines associated risk levels?
A
Assess
18
Q
What phase of the risk management life cycle determines if a risk level has changed?
A
Review
19
Q
What should include detailed descriptions of the necessary steps to complete a task?
A
Process
20
Q
What function of NIST CSF defines capabilities needed for the timely discovery of security incidents?
A
Detect
21
Q
What’s a formal mechanism for measuring performance of a program against desired goals?
A
KPI
22
Q
What program demonstrates a cloud service providers adherence to security?
A
CSA STAR
Cloud Security Alliance, Security Trust and Risk
23
Q
What standards were established by the AICPA to evaluate controls designed to protect technology and finance?
A
SOC
24
Q
What is the cybersecurity standards developed by the DoD?
A
CMMC
Cybersecurity Maturity Model Certification
25
Which cloud represents the lowest amount of responsibility for the customer?
SaaS
26
What describes when a customer is completely dependent upon a vendor for products or services?
Vendor lock in
27
What describes when a copy of vendor-developed code is provided to a trusted third party?
Source code escrow
28
What describes all of the suppliers, vendors, and partners needed to deliver a final product?
Supply chain
29
What type of data sanitization involves multiple block level overwrites?
Clear
30
What type of data sanitization is proof against all recovery techniques?
Purge
31
What does "clearing" data do?
Multiple block level overwrites?
32
What does "purging" data do?
Best recovery, even against cleanroom and material analysis.
33
What is an attestation of compliance?
set of policies, contracts, and standards identified as essential in the agreement between two parties
34
What is a set of policies, contracts, and standards identified as essential in the agreement between two parties?
Attestation of compliance
35
What are the five levels of the CMMI?
```
Initial
Managed
Defined
Quantitatively Managed
Optimizing
```
36
What's a non regulatory agency in the US that establishes standards and best practices?
NIST
37
Describe the relationship between regulations and standards?
Regulations are lawful mandates that state a standard must be followed, while standards are a set of practices that can be implemented to fulfill a regulation
38
What regulation enforces rules for organizations related to the European Union?
GDPR
39
Which US Federal law is designed to protect the privacy of children?
COPPA
40
Which process is designed to provide assurance that information systems are compliant with federal standards?
Certification and Accreditation
41
What describes the actions taken to ensure that a system continues to operate in a compliant way?
Continuous monitoring.
42
What is authority to operate?
A formal letter of accreditation by a Certifying Authority upon successful review of an independent audit.
43
What are the phases of the certification and accreditation process?
Initiation and planning
Certification
Accreditation
Continuous monitoring
44
What is often referred to as the prudent man rule?
Due Care
45
What is due care?
Prudent man rule
| The reasonable and expected protections put in place to protect an asset.
46
What is due diligence?
The ongoing and documented effort to continuously evaluate and improve asset protection.
47
What is an MSA?
Master service agreement
| Establishes an agreement between two entities to conduct business during a defined term.
48
What is an NDA?
Non disclosure agreement.
49
What is an MOU?
Memorandum of understanding
A contract that can establish ROE between two parties.
Difficult to enforce
Formal means to define roles and expectations
50
What is an ISA?
Interconnection security agreement
| Rules for two entities to connect and share data
51
What is an OLA?
Operational level agreement
| Internal documents established to define the essential operational needs for it to meet its SLAs
52
What is a PLA?
Privacy level agreement
| SLA but for data protection requirements
53
What describes the identification of applicable laws depending upon the location of the organization, data, or customer/subject?
Legal Jurisdiction
54
What describes when an organization's legal team receives notification to preserve electronic information?
Lit hold
55
What type of agreement is often an umbrella contract that establishes the agreement between two entities to conduct business?
Master Service Agreement
| MSA
56
What agreement governs services that are both measurable and repeatable?
SLA
57
What are the steps of the NIST 800-34 for business continuity planning?
Develop the continuity planning policy statement
conduct the business impact analysis
identify preventive measures
create contingency strategies
develop an information systems contingency plan
ensure plan testing, training, and exercises
ensure plan maintenance
58
What is the relationship between disaster recovery and business continuity plans?
Disaster recovery plans are focused on the immediate needs of a disaster and is a part of the business continuity plan which is broader and covers a longer time frame.
59
What is the last step in a business continuity plan?
Plan maintenance
60
What can be described as an analysis of a system's requirements, functions, and interdependence used to characterize system contingency requirements an dpriorities in the event of a disruption?
BIA
61
What generally defines the amount of data that can be lost without irreparable harm?
RPO
| Recovery Point Objective
62
Which type of assessment seeks to identify specific types of sensitive data?
PIA
| Privacy impact assessmetnt
63
Using other locations to manage a disaster response is known as what?
Alternate site
64
What type of DR site has the lowest operating expense and complexity?
Cold site
65
Which site is one that can be activated and used within minutes?
Hot site
66
Which NIST publication has to do with incident response?
NIST 800-61
67
What is NIST 800-61?
Incident Handling Guide
68
What are the types of DR tests?
```
Checklist
Walkthrough
Tabletop
Parallel
Full Interruption
```
69
Which type of DR test is the most disruptive?
Full interruption
70
Which type of DR test is a meeting to review the plans and analyze their effectiveness against various scenarios?
Walk through
71
Which type of DR test is used to determine whether all parties involved in the response know what to do and how to work together?
Tabletop
72
What is a UTM?
Unified threat management - device or virtual appliance that provides multiple security services in a single solution.
73
What types of services does a UTM typically offer?
```
Content filtering
DLP
SPAM
Antivirus
Web filtering
firewall
```
74
Describe non-transparent vs transparent proxy.
Non-transparent requires clients to be manually configured with the proxy server as a target.
Transparent intercepts client traffic without the client having to be reconfigured.
75
What is a resource record set?
A package of resource records created by the authoritative DNS server signed by a zone signing key.
76
In DNS what is the difference between a zone signing key and a key signing key?
The zone signing key signs the resource record set, the key signing key signs the zone signing key so it can be easily revoked and re-established in case of compromise.
77
What is an API gateway?
a mechanism allowing software interfaces to be detached from the main application
78
What is an XML gateway?
An interface gateway that does not allow the extensibility as an API gateway but allows processing and firewall like inspection. More secure.
79
What can be used to protect against DNS spoofing and DNS poisoning?
DNSSEC
80
What is the difference in NetFlow and sFlow?
Netflow packets in a transmission are aggregated into a flow and then exported for processing and analysis. sFlow is a sampling of packets and not a true aggregate of flows.
81
What are the typical capabilities of a SIEM?
```
Aggregation
Correlation
Alerting
Visibility
Compliance
Data Retention
```
82
What are the two main components of a VPN?
The creation of a network tunnel between endpoints and the protection of the data within.
83
What is the difference in L2TP and IPSec?
L2TP (layer two tunneling protocol) is the establishment of a vpn tunnel while IPSec is the encryption of the data within.
84
What is a solution designed to validate an endpoint's security before it gets onto the network?
Network access control
85
What is a passive technology used to provide visibility into network traffic on a switch?
TAP
| Test access port
86
What version of SNMP should be used?
v3
87
Why is a TAP preferable over a SPAN?
TAPs do not cause negative performance on the switch.
88
What type of networking is called east-west and is based upon policies established through SDN to limit traffic between workloads?
Microsegmentation
89
Which NIST SP talks about Zero Trust?
NIST SP 800-207
90
What is NIST 800-207?
Zero Trust Architecture
91
What are the planes in an SDN?
Control
Data
Management
92
Which SDN plane controls where traffic should be switched?
Control Plane
93
Which SDN plane handles the actual switching and security?
Data Plane
94
Which SDN plane monitors traffic and network status?
Management Plane
95
Which type of environment is characterized by having hosts and networks available for use by visitors?
Guest
96
What is a specially configured, highly hardened system for performing administrative tasks?
Jump box
97
What type of network segmentation differs from a traditional approach to provide higher security, granularity, and flexibility?
Microsegmentation
98
What network implementation creates an SDN by utilizing existing physical equipment?
SDN Overlay
99
What is vertical vs horizontal scaling?
Vertical scaling adds more power to an existing server, horizontal adds more servers.
100
What is type 1 virtualization?
"bare metal" - installed directly to the hardware, esxi, hyperv
101
What is type 2 virtualization?
Installed to the OS - vmware player, virtual box
102
What describes improving performance by adding additional resources to an individual system?
Vertical scaling
103
What describes improving performance by adding additional systems to distribute load?
Horizontal scaling
104
What leverages the global footprint of cloud platforms by distributing and replicating the components of a service?
CDN
| Content delivery network
105
What design strategy often conflicts with IT approaches that look to consolidate platforms and reduce product portfolios?
Diversity
106
Which type of virtualization allows the client to either access an application hosted on a server or stream the application from the server to the client for local processing?
Application virtualization
107
What is the set of automated tasks to be performed as part of a cloud deployment?
Bootstrapping
108
Describe the three main types of VDI
Hosted - provided by a third party that manages the entire infrastructure.
Centralized - all VDI instances are hosted within the enterprise, when an instance is requested a new one is created
Synchronized - lets work continue in a disconnected state with a local copy of the VDI that is then synchronized back up
109
What is the difference in application virtualization and VDI?
VDI is a virtualization of the entire desktop or endpoint experience. Application virtualization is limited to just one application and may be referred to as "clientless".
110
What are the extensions of service oriented architecture?
People
Process
Platform
Practice
111
What are some functions that can be performed via a Container API?
List logs generated by an instance
issue commands to the running container
create, update, and delete containers
list capabilities
112
What environment is used to merge code from multiple developers to a single master copy?
Test
113
What describes middleware software designed to enable integration and communication between a wide variety of applications throughout an enterprise?
Enterprise service bus
114
What is shadow IT?
IT systems deployed without the approval of centralized IT to work around shortcomings, requirements, or bottlenecks.
115
What are the steps of the SDLC?
```
Planning
Solution design
Coding
Testing
Release/ Deployment
```
116
What is regression testing?
Evaluating whether changes in code have caused unintended bugs.
117
What type of testing is to find issues where changes in code have caused previously working functions to fail?
Regression testing
118
What type of testing involves pass/fail for one block of code?
Unit Test
119
Which type of testing verifies that individual components of a system work together?
Integration testing
120
Which development model includes phases that cascade with each phase only starting when the last finishes?
Waterfall
121
What development model incorporates security as code and infrastructure as code?
SecDevOps
122
What is the director services standard?
X.500
123
How does kerberos work?
Clients request services from an application server, and both rely on an intermediary - the key distribution center.
User authenticates and is given a ticket granting ticket from the ticket granting server
This ticket granting ticket is used to request a ticket granting service
124
What port does TACACS use?
49
125
What is the certificate standard?
X.509v3
126
What does OAuth provide?
Authorization, not authentication
127
What is the port based network access control standard?
802.1x
128
What is the device requesting access in network access control called?
Supplicant
129
What is an HOTP?
HMAC based one time password. This is often what mfa fobs or smartphone authenticator apps use. They do not however have to expire.
130
What is TOTP?
Time based one time password - a refinement of HOTP that forces each token to expire.
131
In REST, what is a method to transfer claims between two parties?
JSON Web tokens which are signed and protected with a Message Authentication code, or encrypted
132
When storing passwords, what method should not be used?
Encryption
133
What is the term used to describe when credentials created and stored at an external provider are trusted for identification and authentication?
Federation
134
Which access control is a modern, fine grained type of access control that uses XACML?
ABAC
| Attribute based access control
135
What authentication protocol is comparable to radius and used in Cisco devices
TACACS
136
What authentication scheme uses an HMAC built from a shared secret plus a value derived from a device and server's local timestamps?
TOTP
| Time based one time password
137
What is hardware root of trust?
Trust Anchor
Secure susbsystem that is able to provide attestation that the system hasn't been changed.
138
What is a TPM?
Trusted platform module
Hardware based storage of encryption keys, passwords, and other identification information.
139
What is EAP?
extensible authentication protocol
provides a framework for deploying multiple types of authentication protocols and technologies
140
What are the parts of OAuth.
Provider - the site that owns the data and the user account, such as Facebook or Google.
Resource Owner - the user with an account with a provider that can allow a client access to some part of their account.
Client - the site that wants to use some resource of the provider by getting permission and authorization from said provider. The client must be registered with the authorization server.
141
What does SAML use for communication?
XML
142
What does OAuth use for communication?
JSON
143
What is the data lifecycle?
```
Create
Store
Use
Archive
Destroy
```
144
In which stage of the data life cycle is data shared using various mechanism such as email?
Use
145
What are the parts of data management?
Inventory, mapping, and integrity management.
146
What data obfuscation method replaces sensitive data with an irreversible value?
Tokenization
147
What data obfuscation method is designed to protect PII so that it can be shared?
Anonymization
148
What are the types of data obfuscation methods?
```
Encryption
Format Conversion (encoding)
Tokenization
Scrubbing
Anonymization
```
149
Which type of virtualization platform supports micro services and serverless architecture?
Containerization
150
What is assigned to cloud resources through the use of tags?
Metadata
151
Which type of cloud service model can be described as virtual machines and software running on a shared platform to save costs??
Multi-tenant
152
What are four types of cloud storage models?
Object
File based
Block
Blob
153
Which storage model typically supports cloud based applications needs to access documents, video, or image files?
Object
154
Which storage model typically uses a traditional hierarchical system to store files by a path?
File-based
155
Which storage model typically supports high performance, transactional applications such as databases?
Block
156
Which storage model typically supports the storage of large amounts of unstructured data?
Blob
157
What is blockchain?
An expanding list of transactional records which are secured using cryptography. Each block is hashed and the hash value of the previous block in the chain is included int he hash calculation of the next block which links them.
The ledger is distributed across a peer to peer network.
Every node has the ability to view every transaction.
158
What is a system whereby multiple groups can calculate a function, but the function itself is only known by a single party?
Secure multi-party computation
| MPC/SMPC
159
Which technology is a ledger distributed across a p2p network?
blockchain
160
What emulates a real life environment through computer generated sites and sounds?
Virtual reality
161
What term describes computer generated images of a person that appear real?
deep fake
162
What type of processing deconstructs knowledge into a series of smaller, simpler parts that can be interpreted?
Deep learning
163
What type of computing uses information represented by spin properties and momentum of matter?
Quantum
164
What kind of cert is used to identify a devices within an organization?
Trust certificate
165
What is the current wifi standard to use?
WPA3
166
What type of encryption does WPA2 use?
AES-CCMP
167
What type of encryption does WPA3 use?
AES-GCMP
168
What type of communication does NFC use?
RFID
169
What is DoH?
DNS over HTTPS
Offers privacy between the user and the DNS server by encrypting the DNS requests
170
What is sideloading?
Installing an apk file to android that's not from the app store.
171
What is a popular android unauthorized app store?
F-Droid
172
What are two types of certificates commonly used to implement access controls for mobile devices?
Trust certificates, personal certificates
173
Which standard is associated with Simultaneous authentication of equals?
WPA3
174
Which device attack allows complete control of a device without the target being paired?
Blueborn attack
175
What is the process of determining which additional software or scripts may be installed or run on a host beyond it baseline?
execution control
176
What do BIOS and UEFI use?
BIOS uses the master boot record (MBR)
UEFI uses GUID partition table (GPT)
177
What is secure boot?
secure boot is designed to prevent a computer from being hijacked by a malicious OS via digital certificates from valid OS vendors.
178
What is measured boot?
uses platform configuration registers (PCRs) in the TPM at each stage in the boot process to check critical areas for change
179
What modules does the secure boot attestation services?
NV-RAM which stores the OEMs secure boot info
signature database (db)
revoked signature database (dbx)
Key enrollment key (kek) database
180
What is a hardware security module?
An HSM is a network appliance designed to perform centralized PKI for a network of devices. Can also be a plugin pcie card or usb connected.
Supposedly better than TPM.
181
Which types of attacks on Android can bypass the protections of mandatory access control?
Interapp communication attacks
182
Which control is designed to prevent a computer from being hijacked by a malicious OS?
Secure boot
183
Which type of host protection should provide capabilities that directly align to the NIST cybersecurtiy framework core?
EDR
184
What describes intentionally spreading data across different storage locations?
data dispersion
185
What is bit splitting?
Aka cryptographic splitting
splitting encrypted data outputs into multiple parts which are subsequently stored in disparate storage locations and then encrypting the outputs a second time
186
What are some FaaS?
functions as a service
AWS Lambda
Google Cloud Functions
Microsoft Azure functions
187
What are some security concern with serverless computing?
ensuring that the clients accessing the services have not been compromised
entirely reliant on the service provider
188
Which cloud computing practice eliminates the use of traditional virtual machines?
Serverless
189
What is a critical component dictating the implementation of logging capabilities in the cloud?
Regulations
190
What is an ASIC?
application specific integrated circuit, expensively designed single function system
191
What is an FPGA?
field programmable gate array
| A controller not fully set at the time of manufacture that can be programmed to perform a specific function
192
What is SCADA vs ICS
ICS is industrial control systems, they provide mechanisms for workflow and process automation with machinery. They have embedded PLCs which are linked by a fieldbus or industrial ethernet. Human Machine interfaces provide access via control panel or software.
SCADA is supervisory control and data acquisition - it takes the place of a control server in large scale, multiple site ICSs. Typically runs as regular software.
193
What is a PLC?
Programmable logic controller - act as a bridge between the real world and the digital world.
194
Which component integrates practically all of the components of a traditional chipset?
system on a chip
195
Which type of industrial computer is typically used to enable automation in assembly lines and is programmed using ladder langauge?
Programmable logic controller
196
Which type of availability attack are industrial computers most sensitive to?
Denial of service
197
What are two popular hashing algorithms?
MD5 and SHA
198
What are SHA1 and SHA256's output size?
160 bit and 256 bit
199
What algorithm was designated SHA3?
Keccack
200
What is RIPEMD?
Hashing algorithm designed at the same time as SHA1
Outputs 128, 160, 256, and 320 bits.
Used within PGP encryption.
201
What is HMAC?
hash based message authentication code
a way to tell the message hasn't changed and the sender knows the secret key
requires shared key
sender uses an HMAC function to produce a MAC by feeding it the message and a secret key. the receiver can re-do the HMAC function with the message and shared key and if it matches the MAC sent it's good
202
What is Poly1305?
MAC focused on speed that works well on older devices, often combined with Salsa20 and ChaCha
203
What is a stream cipher?
data is encrypted one bit at a time
good for encrypting items where the length of the message is not known
uses an initializaiton vector to generate a unique keystream, which changes
204
What is a block cipher
data is encrypted in equal sized blocks, data is padded if too short
205
What are some stream ciphers and which are good?
RC4 - bad
Salsa20 - good
ChaCha - good, based off Salsa, combined with Poly1305 often
206
What are some stream ciphers and which are good
3des - bad
| AES - the best, can use variable block sizes
207
What are the modes of cipher blocks and which are good?
```
Cipher block chaining (cbc) - bad
Electronic codebook - bad
Galois/Counter Mode (GCM) - good
Counter (CTR) - good
Output Feedback (OFB) - good
```
208
Which MAC method is commonly used with Sals20?
Poly1305
209
What is S/MIME?
Secure multipurpose internet mail extensions
Mail using digital certificates to encrypt email
210
What are three signing methods?
RSA - factoring large prime numbers
DSA - digital signature algorithm, faster at generating slower at verifying
ECDSA - elliptic curve digital signature algorithm, utilizes properties of elliptic curves
211
What are two key agreement methods?
Diffie-helman (DH)
| Elliptic curve diffie hellman (ECDH)
212
What are the parts of a cipher suite?
Key exchange, signature, bulk encryption, message authentication, elliptic curve
213
What is EAP-TLS?
extensible authentication protocol transport layer security
one of the strongest types of authentication and is widely supported
encrypted tunnel between supplicant and server
both supplication and server are configured with certificates
214
What is PEAP?
protected extensible authentication protocol
encrypted tunnel between supplicant and auth server
only requires server side public key
must use MS-CHAPv2 or EAP-GTC for its inner authentication method
215
What is Eap TTLS?
uses server side cert, can use any inner authentication protocol
216
What is EAP FAST?
eap with flexible authentication via secure tunneling
217
What is IPSEC?
VPN
works at layer 3
provides both confidentiality and integrity by signing each packet
218
What are the two modes of IPSEC?
Authentication header - provides integrity but does not encrypt the payload. Includes the IP header
ESP - encapsulation security payload - can be used to encrypt the packet and can provide confidentiality, authentication, and integrity. Excludes the IP header
219
What is ECC?
Asymmetric encryption, has low overhead.
220
What are the ECC implementations?
P256 - no longer recommended
| P384 - can be used for top secret
221
What takes a key generated from a user and repeatedly converts it to a longer and more random key?
Key stretching
222
What are some key strethcing methods?
PBKDF2 - widely used
| BCRYPT, adds salt
223
What is the bulk encryption method used int he following cipher suite: ECDHE-RSA-AES128-GCM-SHA256
AES128-GCM
224
What is the key exchange method used int he following cipher suite: ECDHE-RSA-AES128-GCM-SHA256
ECDHE
225
What is the signing method used int he following cipher suite: ECDHE-RSA-AES128-GCM-SHA256
RSA
226
What is the MAC method used int he following cipher suite: ECDHE-RSA-AES128-GCM-SHA256
SHA256
227
What device used to provide strong authentication stores a user's digital certificate, private key, and a PIN?
Smart Card
228
What are the certificate life cycle management steps?
```
Generate
Provision
Discover
Inventory
Monitor
Protect
Renew
Revoke
```
229
What is cert pinning?
techniques to ensure that when a client inspects a certificate, it is inspecting the proper certificate
230
What is cert stapling?
having a web server periodically obtain a time-stamped ocsp response from the CA and returns this response in lieu of making the client contact OCSP itself
231
What is HSTS?
HTTP strict transport security - a configuration to force https
232
What entity is responsible for issuing certificates?
Certificate Authority
233
What is a term to describe the requirement for both client and server devices to use certificates to verify identity?
Mutual authentication
234
Describe threat vs adversary emulation.
Threat emulation is emulating known tactics techniques and procedures in a realistic way without emulating a specific threat actor
Adversary is threat emulation but mimicing a specific actor
235
What is the cyber kill chain?
Developed by Lockheed Martin, steps an adversary must complete to achieve their goals
```
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command and Control
Actions on Objectives
```
236
What is a defensive approach that assumes breach?
Threat hunting
237
What are some types of decoy files?
Honytoken
| Canary file
238
What are some deceptive security technologies?
```
Decoy files
Honeypot
Honeynet
Simulators
Dynamic network configurations
```
239
What is a simple to deploy deceptive technology?
Simulator
240
What is a sandbox application?
A self contained software application which includes all of the necessary components to operate on an immutable system.
241
What is a self contained software application which includes all of the necessary components to operate on an immutable system.
A sandbox application.
242
What ways can you fix buffer overflow?
Patching
Secure Coding
Address space layout randomization
Data execution protection
243
What is data execution protection?
The operating system identifies areas of memory allowed and not allowed to contain executable code and prevents that code from executing out of bounds.
244
What describes how software can be analyzed for open-source components?
Software composition analysis.
245
What is the default tcpdump command?
tcpdump -i eth0
246
What are some types of logs?
Network logs
Access logs
Vulnerability logs
Netflow logs
247
What is NetFlow also known as?
IP Flow Information Export (IPFIX)
248
What are the steps of the incident response process?
```
Preparation
Detection and Analysis
Containment
Eradication and Recovery
Post Incident Activity
```
249
Alerts generated by IDS are more critical as they go down or up in value?
Down in value, 1 is critical
250
What uses YARA rules most often?
Anti-virus
251
What are the four steps of the forensic process?
Identification
Collection
Analysis
Reporting
252
What are some file carving tools?
Foremost - linux
| strings
253
What are some binary analysis tools?
```
hexdump
Ghidra - written by NSA
GNU project debugger
OllyDBG - windows debugger
readelf
objdump
strace - interactions between processes and the linux kernel
ldd - dependency display
file
```
254
What can be used to inspect firmware images?
Binwalk
255
What tool can read and write file metadata?
exiftool
256
What term describes evidence handling from collection through presentation in court?
chain of custody
257
What are some live collection tools?
```
netstat
ps
vmstat - real time I/O information
lsof - listopen files
netcat
conntrack - interact with connection tracking
tcpdump
wireshark
```
258
What are some hashing utilities?
sha256sum
| ssdeep - compare files
