Ch 1-5 Flashcards
Which security related phrase relates to the integrity of data? Availability is authorized Modification is authorized Knowledge is authorized Non-repudiation is authorized
Integrity means that any data is stored and transferred as intended and that any modification is authorized.
Integrity is part of the CIA triad.
Define Availability
Information is accessible only to those authorized to view or modify it
An engineer looks to implement security measures by following the five functions in the National Institute of Standards and Technology (NIST) Cybersecurity Framework. When documenting the “detect” function, what does the engineer focus on?
Detect refers to performing ongoing proactive monitoring to ensure that controls are effective and capable of protecting against new types of threats.
What does the Identity mean per NIST?
Identify covers developing security policies and capabilities, and evaluating risks, threats, and vulnerabilities and recommend security controls to mitigate them.
What does protect mean according to NIST?
covers the processes to install, operate, and decommission IT hardware and software assets with security as an embedded requirement of every stage of an operations life cycle.
What is recovery per NIST?
The implementation of cybersecurity resilience to restore systems and data if other controls are unable to prevent attacks.
What are the properties of a secure information processing system?
Confidentiality, Integrity, and Availability (and Non-repudiation)
A multinational company manages a large amount of valuable intellectual property (IP) data, plus personal data for its customers and account holders. What type of business unit can be used to manage such important and complex security requirements?
A security operations center (SOC).
A business is expanding rapidly and the owner is worried about tensions between its established IT and programming divisions. What type of security business unit or function could help to resolve these issues?
Development and operations (DevOps) is a cultural shift within an organization to encourage much more collaboration between developers and system administrators. DevSecOps embeds the security function within these teams as well.
You have implemented a secure web gateway that blocks access to a social networking site. How would you categorize this type of security control?
It is a technical type of control (implemented in software) and acts as a preventive measure.
A company has installed motion-activated floodlighting on the grounds around its premises. What class and function is this security control?
It would be classed as a physical control and its function is both detecting and deterring.
A firewall appliance intercepts a packet that violates policy. It automatically updates its Access Control List to block all further packets from the source IP. What TWO functions is the security control performing?
Preventive and corrective.
If a security control is described as operational and compensating, what can you determine about its nature and function?
That the control is enforced by a a person rather than a technical system, and that the control has been developed to replicate the functionality of a primary control, as required by a security standard.
If a company wants to ensure it is following best practice in choosing security controls, what type of resource would provide guidance?
A cybersecurity framework and/or benchmark and secure configuration guides.
Any external responsibility for an organization’s security lies mainly with which individuals?
External responsibility for security (due care or liability) lies mainly with directors or owners. It is important to note that all employees share some measure of responsibility.
What does Defense in Depth mean?
Defense in depth means an attacker must get past multiple security controls to fully compromise a network. Since employees are the greatest security risk, user training is a critical component of defense in depth.
What are 5 NIST properties?
Id, Protect, Detect, Respond, Recover
Name the 3 types of security controls and their 6 functions.
Technical, Operative, Managerial
Preventive, Detective, Corrective, Physical, Deterrent, Compensating
Which of the following would be assessed by likelihood and impact: vulnerability, threat, or risk?
Risk. To assess likelihood and impact, you must identify both the vulnerability and the threat posed by a potential exploit.
True or false? Nation state actors primarily only pose a risk to other states.
False—nation state actors have targeted commercial interests for theft, espionage, and extortion.
You receive an email with a screenshot showing a command prompt at one of your application servers. The email suggests you engage the hacker for a day’s consultancy to patch the vulnerability. How should you categorize this threat?
This is either gray hat hacking or black hat hacking. If the request for compensation via consultancy is an extortion threat (if refused, the hacker sells the exploit on the dark web), then the motivation is purely financial gain and can be categorized as black hat. If the consultancy is refused and the hacker takes no further action, it can be classed as gray hat.
Which type of threat actor is primarily motivated by the desire for social change?
Hacktivist
Which three types of threat actor are most likely to have high levels of funding?
State actors, criminal syndicates, and competitors
You are assisting with writing an attack surface assessment report for a small company. Following the CompTIA syllabus, which two potential attack vectors have been omitted from the following headings in the report? Direct access, Email, Remote and wireless, Web and social media, Cloud.
Removable media and supply chain.
You are consulting on threat intelligence solutions for a supplier of electronic voting machines. What type of threat intelligence source would produce the most relevant information at the lowest cost?
For critical infrastructure providers, threat data sharing via an Information Sharing and Analysis Center (ISAC) is likely to be the best option.
Your CEO wants to know if the company’s threat intelligence platform makes effective use of OSINT.
What is OSINT?
Open-source intelligence (OSINT) is cybersecurity-relevant information harvested from public websites and data records. In terms of threat intelligence specifically, it refers to research and data feeds that are made publicly available.
You are assessing whether to join AIS. What is AIS and what protocol should your SIEM support in order to connect to AIS servers?
Automated Indicator Sharing (AIS) is a service offered by the (DHS) for participating in threat intelligence sharing. AIS uses the (TAXII) protocol as a means of transmitting CTI data between servers and clients
A contractor has been hired to conduct security reconnaissance on a company. The contractor browses the company’s website to identify employees and then finds their Facebook pages. Posts found on Facebook indicate a favorite bar that employees frequent. The contractor visits the bar and learns details of the company’s security infrastructure through small talk. What reconnaissance phase techniques does the contractor practice?
OSINT & Social Engineering
OSINT refers to using web search tools and social media to obtain information about the target.
Social engineering was used at the restaurant by learning about the vacant positions and the shortfall in information security
What is a security policy?
The means the organization will take to protect the confidentiality, availability, and integrity of sensitive data and resources
How does scanning work?
Using software tools to obtain information about a host or network topology is considered scanning
A security engineer investigates a recent system breach. When compiling a report of the incident, how does the engineer classify the actor and the vector?
A threat is the potential for something to exploit a vulnerability. The thing that poses the threat is called an actor, while the path used can be referred to as the vector.
One aspect of threat modeling is to identify potential threat actors and the risks associated with each one. When assessing the risk that any one type of threat actor poses to an organization, what are the critical factors to profile?
Intent & motivation
You suspect that a rogue host is acting as the default gateway for a subnet in a spoofing attack. What command-line tool(s) can you use from a Windows client PC in the same subnet to check the interface properties of the default gateway?
ipconfig, arp, route
Use ipconfig to check the IP addresses of the default gateway and the DHCP server. Use arp to check the MAC addresses associated with those IP addresses and investigate possible spoofing. You could also use the route command to verify the properties of the default route.
You suspect the rogue host is modifying traffic before forwarding it, with the side effect of increasing network latency. Which tool could you use to measure latency on traffic routed from this subnet?
From a Windows host, the pathping tool can be used to measure latency along a route.
What type of tool could you use to fingerprint the host acting as the default gateway?
Nmap is very widely used for this task, or you could use hping or Netcat.
This requires a tool that performs fingerprinting service and version detection—by examining responses to network probes and comparing them to known responses from common platforms.
You are investigating a Linux server that is the source of suspicious network traffic. At a terminal on the server, which tool could you use to check which process is using a given TCP port?
netstat
What is a zone transfer and which reconnaissance tools can be used to test whether a server will allow one?
nslookup, dig, dnsenum
A zone transfer is where a (DNS) allows a client to request all the name records for a domain. nslookup (Windows) and dig (principally Linux) can be used to test whether this query is allowed. You could also mention the dnsenum tool, which will check for zone transfers along with other enumeration tests on DNS infrastructure.
What type of organizational security assessment is performed using Nessus?
Nessus (automated network vulnerability scanner) checks for software vulnerabilities & missing patches.
You are developing new detection rules for a network security scanner. Which tool (command line) will be of use in testing whether the rules match a malicious traffic sample successfully?
tcpreplay tool can be used to stream captured traffic from a file to a monitored network interface.
What security posture assessment could a penetration tester make using Netcat?
Whether it is possible to open a network connection to a remote host over a given port.
You are recommending that a business owner invest in patch management controls for PCs and laptops. What is the main risk from weak patch management procedures on such devices?
Vulnerabilities in the OS and applications software such as web browsers and document readers or in PC and adapter firmware can allow threat actors to run malware and gain a foothold on the network.
You are advising a business owner on security for a PC running Windows XP. The PC runs process management software that the owner cannot run on Windows 10. What are the risks arising from this, and how can they be mitigated?
Windows XP is a legacy platform that is no longer receiving security updates. This means that patch management cannot be used to reduce risks from software vulnerabilities. The workstation should be isolated from other systems to reduce the risk of compromise.
As a security solutions provider, you are compiling a checklist for your customers to assess potential weak configuration vulnerabilities, based on the CompTIA Security+ syllabus. From the headings you have added so far, which is missing and what vulnerability does it relate to?
Default settings, Unsecured root accounts, Open ports & services, Unsecure protocols, Weak encryption, Errors
Open permissions refers to misconfigured access rights for data folders, network file shares, and cloud storage
You are advising a customer on backup and disaster recovery solutions. The customer is confused between data breaches and data loss and whether the backup solution will protect against both. What explanation can you give?
Backup solutions mitigate risks from data loss, where files or information is deleted, corrupted, or otherwise destroyed. Backup does not mitigate risks from data breach, where confidential or private data is stolen (exfiltrated) and made public or sold for criminal profit. Mitigating risks of data breach requires effective secure processing, authorization, and authentication security controls.
A system integrator is offering a turnkey solution for customer contact data storage and engagement analytics using several cloud services. Does this solution present any supply chain risks beyond those of the system integrator’s consulting company?
Yes, the system integrator is proposing the use of multiple vendors (the cloud service providers), with potentially complex issues for collecting, storing, and sharing customer personal data across these vendors. Each company in the supply chain should be assessed for risk and compliance with cybersecurity and privacy standards.
You have received an urgent threat advisory and need to configure a network vulnerability scan to check for the presence of a related CVE on your network. What configuration check should you make in the vulnerability scanning software before running the scan?
Verify that the vulnerability feed/plug-in/test has been updated with the specific CVE that you need to test for.
You have configured a network vulnerability scanner for an engineering company. When running a scan, multiple sensors within an embedded systems network became unresponsive, causing a production shutdown. What alternative method of vulnerability scanning should be used for the embedded systems network
A fully non-intrusive solution should be adopted, such as sniffing traffic using a network tap or mirror port. Using the network traffic to detect vulnerabilities rather than actively probing each device will not cause system stability issues (though there is greater risk of false positive and false negative results).
A vulnerability scan reports that a CVE associated with CentOS Linux is present on a host, but you have established that the host is not running CentOS. What type of scanning error event is this?
False positive.
A small company that you provide security consulting support to has resisted investing in an event management and threat intelligence platform. The CEO has become concerned about an APT risk known to target supply chains within the company’s industry sector and wants you to scan their systems for any sign that they have been targeted already. What are the additional challenges of meeting this request, given the lack of investment?
Collecting network traffic and log data from multiple sources and then analyzing it manually will require many hours of analyst time. The use of threat feeds and intelligence fusion to automate parts of this analysis effort would enable a much swifter response.