Ch.2 Cybersecurity Threat Landscape Flashcards
Which of the following measures is not commonly used to assess threat intelligence?
A) Timeliness
B) Detail
C) Accuracy
D) Relevance
✅ Correct Answer: B) Detail
Explanation: Threat intelligence is assessed based on timeliness, accuracy, and relevance. The level of detail in the information is important but not a primary assessment criterion.
❌ Incorrect Answers:
A) Timeliness – Security teams need up-to-date intelligence to act on current threats.
C) Accuracy – False positives or inaccurate intelligence can mislead security efforts.
D) Relevance – Intelligence must be applicable to the organization’s security environment.
Which one of the following motivations is most commonly attributed to hacktivists?
A) War
B) Financial gain
C) Political/philosophical beliefs
D) Ethical
✅ Correct Answer: C) Political/philosophical beliefs
Explanation: Hacktivists use cyberattacks to promote a political or ideological cause (e.g., defacing websites, leaking documents).
❌ Incorrect Answers:
A) War – This is typically associated with nation-state actors, not hacktivists.
B) Financial gain – Organized crime focuses on financial motives, not hacktivists.
D) Ethical – While hacktivists believe they are acting ethically, ethical hackers (white-hat) perform legal testing, not attacks.
Kolin is a penetration tester who works for a cybersecurity company. His firm was hired to conduct a penetration test against a health-care system, and Kolin is working to gain access to the systems belonging to a hospital in that system. What term best describes Kolin’s work?
A) Authorized attacker
B) Unauthorized attacker
C) Unknown attacker
D) Semi-authorized attacker
✅ Correct Answer: A) Authorized attacker
Explanation: An authorized attacker (white-hat hacker) is hired to legally test security defenses. Penetration testers like Kolin follow ethical hacking principles to help organizations improve security.
❌ Incorrect Answers:
B) Unauthorized attacker – A hacker working without permission is black-hat.
C) Unknown attacker – The hospital knows Kolin is conducting a test.
D) Semi-authorized attacker – Gray-hat hackers act without full permission.
Which one of the following attackers is most likely to be associated with an APT (Advanced Persistent Threat)?
A) Nation-state actor
B) Hacktivist
C) Unskilled
D) Insider
✅ Correct Answer: A) Nation-state actor
Explanation: Advanced Persistent Threats (APTs) involve long-term, stealthy attacks by government-sponsored groups. APTs aim to steal classified data, disrupt infrastructure, or conduct espionage.
❌ Incorrect Answers:
B) Hacktivist – Hacktivists conduct loud, disruptive attacks, not long-term stealth campaigns.
C) Unskilled – Script kiddies lack the skill and resources for APTs.
D) Insider – Insiders may be dangerous but usually don’t engage in nation-state level espionage.
Which organization did the U.S. government help create to share knowledge between organizations in specific verticals?
A) DHS
B) SANS
C) CERTS
D) ISACs
✅ Correct Answer: D) ISACs
Explanation: The U.S. government created the Information Sharing and Analysis Centers (ISACs). ISACs help industries exchange cybersecurity intelligence.
❌ Incorrect Answers:
A) DHS – The Department of Homeland Security oversees ISACs but isn’t a knowledge-sharing organization itself.
B) SANS – SANS provides cybersecurity training, not industry collaboration.
C) CERTS – Computer Emergency Response Teams (CERTs) help respond to incidents but aren’t industry-focused.
Which of the following threat actors typically has the greatest access to resources?
A) Nation-state actors
B) Organized crime
C) Hacktivists
D) Insider threats
✅ Correct Answer: A) Nation-state actors
Explanation: Governments invest heavily in cyberwarfare and espionage, giving nation-state attackers the most resources.
❌ Incorrect Answers:
B) Organized crime – Criminal groups have funding but lack government-level resources.
C) Hacktivists – Hacktivists are often volunteers with limited funding.
D) Insider threats – Insiders may have access but typically act alone with limited resources.
Of the threat vectors shown here, which one is most commonly exploited by attackers who are at a distant location?
A) Email
B) Direct access
C) Wireless
D) Removable media
✅ Correct Answer: A) Email
Explanation: Phishing emails are the #1 attack vector for distant attackers.
❌ Incorrect Answers:
B) Direct access – Requires physical presence near the target.
C) Wireless – Attackers need to be close to exploit Wi-Fi vulnerabilities.
D) Removable media – USB-based attacks rely on someone plugging in the device.
Which one of the following is the best example of a hacktivist group?
A) Chinese military
B) U.S. government
C) Russian mafia
D) Anonymous
✅ Correct Answer: D) Anonymous
Explanation: Anonymous is a well-known hacktivist collective that conducts politically motivated cyberattacks.
❌ Incorrect Answers:
A) Chinese military – A nation-state, not hacktivists.
B) U.S. government – A legitimate entity, not a hacktivist group.
C) Russian mafia – Part of organized crime, focused on profit.
What type of assessment is particularly useful for identifying insider threats?
A) Behavioral
B) Instinctual
C) Habitual
D) IoCs
✅ Correct Answer: A) Behavioral
Explanation: Behavioral assessments are very useful when you are attempting to identify insider threats. Since insider threats are often hard to distinguish from normal behavior, the context of the actions performed—such as after-hours logins, misuse of credentials, logins from abnormal locations, or abnormal patterns—and other behavioral indicators are often used.
❌ Incorrect Answers:
B) Instinctual – Instincts aren’t reliable for insider threat detection.
C) Habitual – Tracking habits may help, but behavioral analysis is more effective.
D) IoCs – Indicators of Compromise (IoCs) detect external attacks.
Cindy is concerned that her organization may be targeted by a supply chain attack and is conducting a review of all of her vendor and supplier partners. Which one of the following organizations is least likely to be the conduit for a supply chain attack?
A) Hardware provider
B) Software provider
C) Managed service provider
D) Talent provider
✅ Correct Answer: D) Talent provider
Explanation: A talent provider handles hiring and staffing, not IT infrastructure.
❌ Incorrect Answers:
A) Hardware provider – Devices may come pre-installed with malware.
B) Software provider – Software can be injected with backdoors before release.
C) Managed service provider – MSPs have broad access to client networks, making them attractive targets.
Greg believes that an attacker may have installed malicious firmware in a network device before it was provided to his organization by the supplier. What type of threat vector best describes this attack?
A) Supply chain
B) Removable media
C) Cloud
D) Direct access
✅ Correct Answer: A) Supply chain
Explanation: Tampering with equipment before delivery is a supply chain attack.
💡 Security+ Exam Tip: It is also possible to describe this attack as a direct access attack because it involved physical access to the device, but supply chain is a more relevant answer. Security+ questions often include distractors.
❌ Incorrect Answers:
B) Removable media – Involves USB devices, not firmware.
C) Cloud – Attack does not involve cloud services.
D) Direct access – Would require physical access after delivery.
Ken is conducting threat research on Transport Layer Security (TLS) and would like to consult the authoritative reference for the protocol’s technical specification. What resource would best meet his needs?
A) Academic journal
B) Internet RFCs
C) Subject matter experts
D) Textbooks
✅ Correct Answer: B) Internet RFCs
Explanation: RFCs (Request for Comments) are official documents defining internet protocols.
❌ Incorrect Answers:
A) Academic journal – May provide research, but not official specs.
C) Subject matter experts – Experts interpret RFCs, but don’t define them.
D) Textbooks – Summarize standards but don’t define them.
Wendy is scanning cloud-based repositories for sensitive information. Which one of the following should concern her the most if discovered in a public repository?
A) Product manuals
B) Source code
C) API keys
D) Open source data
✅ Correct Answer: C) API keys
Explanation: API keys grant access to cloud services and systems. If exposed, attackers can steal data, modify settings, or compromise entire cloud environments.
❌ Incorrect Answers:
A) Product manuals – Usually not sensitive information.
B) Source code – Can be valuable, but API keys allow direct system access.
D) Open-source data – Publicly available, so not a security risk.
Which one of the following threat research tools is used to visually display information about the location of threat actors?
A) Threat map
B) Predictive analysis
C) Vulnerability feed
D) STIX
✅ Correct Answer: A) Threat map
Explanation: Threat maps display cyberattacks in real time, showing geographic locations of attack sources and targets.
❌ Incorrect Answers:
B) Predictive analysis – Uses historical data to forecast attacks, but doesn’t map them.
C) Vulnerability feed – Lists security vulnerabilities, not attack locations.
D) STIX – Structured Threat Information eXpression (STIX) formats threat intelligence but doesn’t display maps.
Vince recently received the hash values of malicious software that several other firms in his industry found installed on their systems after a compromise. What term best describes this information?
A) Vulnerability feed
B) IoC
C) TTP
D) RFC
✅ Correct Answer: B) IoC (Indicator of Compromise)
Explanation: Indicators of Compromise (IoCs) are forensic clues that help detect past or ongoing attacks. Hash values of malware allow security teams to identify infected systems.
❌ Incorrect Answers:
A) Vulnerability feed – Lists software weaknesses, not signs of attack.
C) TTP – Tactics, Techniques, and Procedures (TTPs) describe how attacks happen, not specific evidence of compromise.
D) RFC – Request for Comments (RFCs) define internet protocols, not threats.
Ursula recently discovered that a group of developers are sharing information over a messaging tool provided by a cloud vendor but not sanctioned by her organization. What term best describes this use of technology?
A) Shadow IT
B) System integration
C) Vendor management
D) Data exfiltration
✅ Correct Answer: A) Shadow IT
Explanation: Shadow IT refers to unauthorized technology that employees use without IT approval, creating security risks.
❌ Incorrect Answers:
B) System integration – Relates to merging IT systems, not unauthorized software.
C) Vendor management – Involves oversight of approved vendors, not unapproved apps.
D) Data exfiltration – Refers to stealing data, not using unauthorized apps.
Tom’s organization recently learned that the vendor is discontinuing support for their customer relationship management (CRM) system. What should concern Tom the most from a security perspective?
A) Unavailability of future patches
B) Lack of technical support
C) Theft of customer information
D) Increased costs
✅ Correct Answer: A) Unavailability of future patches
Explanation: Unsupported software won’t receive security updates, making it vulnerable to exploits.
💡 Security+ Exam Tip: Vendors ending support is a major risk because unpatched systems become easy targets for attackers.
❌ Incorrect Answers:
B) Lack of technical support – Important, but not a security issue.
C) Theft of customer information – Could happen if security updates stop, but is not an immediate effect.
D) Increased costs – A business concern, not a security issue.
Which one of the following information sources would not be considered an OSINT source?
A) DNS lookup
B) Search engine research
C) Port scans
D) WHOIS queries
✅ Correct Answer: C) Port scans
Explanation: Port scanning actively probes a system for vulnerabilities, making it active reconnaissance, not passive OSINT.
❌ Incorrect Answers:
A) DNS lookup – Can reveal server names and IP addresses, which are OSINT.
B) Search engine research – Publicly available web data is OSINT.
D) WHOIS queries – Provide domain ownership details, a passive OSINT technique.
Edward Snowden was a government contractor who disclosed sensitive government documents to journalists to uncover what he believed were unethical activities. Which of the following terms best describe Snowden’s activities? (Choose two.)
A) Insider
B) State actor
C) Hacktivist
D) APT
E) Organized crime
✅ Correct Answers:
✔ A) Insider – Snowden was a government contractor with internal access.
✔ C) Hacktivist – He acted based on political/moral beliefs, a characteristic of hacktivism.
❌ Incorrect Answers:
B) State actor – He was not acting on behalf of a government.
D) APT – Advanced Persistent Threats (APTs) are state-sponsored, not individual whistleblowers.
E) Organized crime – Snowden was not financially motivated.
Renee is a cybersecurity hobbyist. She receives an email about a new web-based grading system being used by her son’s school and she visits the site. She notices that the student ID number is included in the URL and begins changing the number to access other student records. She then reports the vulnerability. What term best describes Renee’s work?
A) Authorized hacking
B) Unknown hacking
C) Semi-authorized hacking
D) Unauthorized hacking
✅ Correct Answer: C) Semi-authorized hacking
Explanation: Gray-hat hackers (semi-authorized hackers) act without official permission but without malicious intent. Renee reported the issue instead of exploiting it.
💡 Security+ Exam Tip: If a hacker reports a vulnerability instead of exploiting it, it’s semi-authorized (gray-hat hacking).
❌ Incorrect Answers:
A) Authorized hacking – Requires formal permission (e.g., penetration testers).
B) Unknown hacking – Security teams know Renee found the flaw.
D) Unauthorized hacking – Black-hat hackers exploit flaws for personal gain.
What is an example of an image-based attack?
A) An attacker sends a phishing email containing an infected link
B) A malware-infected image is uploaded to a website and automatically executes malicious code when viewed
C) A hacker creates a malicious removable USB drive to spread malware
D) An attacker scans an open port and exploits a vulnerability
✅ Correct Answer: B) A malware-infected image is uploaded to a website and automatically executes malicious code when viewed
🔹 Explanation: Image-based attacks use malicious payloads hidden inside images, often through steganography or embedded scripts. Attackers encode malicious code into image metadata or embed JavaScript that runs when the image is loaded.
❌ Incorrect Answers:
A) Phishing email with an infected link – This describes a message-based attack, not an image-based attack.
C) Malicious removable USB drive – This describes a removable media attack, not an image-based attack.
D) Open port scanning and exploitation – This is a network vulnerability attack, not image-based.
Which of the following attack vectors is the most difficult to detect using traditional antivirus solutions?
A) Malicious file attachments
B) Exploitation of open service ports
C) Memory-based (fileless) attacks
D) Default credentials being used
✅ Correct Answer: C) Memory-based (fileless) attacks
🔹 Explanation: Fileless malware operates entirely in RAM (system memory) and never writes files to disk, making it invisible to traditional antivirus solutions, which scan file signatures.
❌ Incorrect Answers:
A) Malicious file attachments – Antivirus tools can scan file attachments for known malware signatures.
B) Exploitation of open service ports – While open ports can be exploited, this is not a fileless attack. Firewalls and network monitoring tools can detect unusual activity on open ports.
D) Default credentials being used – Default credentials pose a serious security risk, but they do not evade antivirus software.
What is the primary difference between Indicators of Compromise (IoCs) and Indicators of Attack (IoAs)?
A) IoCs only apply to insider threats, while IoAs only apply to APTs
B) IoCs track financial impact, while IoAs focus on espionage motives
C) IoCs analyze network activity, while IoAs focus on malware signatures
D) IoCs focus on forensic evidence after an attack, while IoAs identify suspicious activity before an attack occurs
✅ Correct Answer: D) IoCs focus on forensic evidence after an attack, while IoAs identify suspicious activity before an attack occurs
🔹 Explanation:
IoCs: Used after an attack, helping security teams detect ongoing or past breaches. Examples: log anomalies, malware signatures, file hashes.
IoAs: Predictive; focus on real-time attack behaviors (e.g., privilege escalation, lateral movement attempts).
❌ Incorrect Answers:
A) IoCs only apply to insider threats, while IoAs only apply to APTs – IoCs and IoAs apply to ALL attack types, not just insiders or APTs.
B) IoCs track financial impact, while IoAs focus on espionage – IoCs and IoAs do not measure financial loss; they detect technical attack details.
C) IoCs analyze network activity, while IoAs focus on malware signatures – Both IoCs and IoAs analyze network traffic, but their purpose differs (forensic vs. predictive).
