Chapter 2: Cybersecurity Threat Landscape Review Questions

Question 1

1- Which of the following measures is not commonly used to assess threat intelligence?

A. Timeliness

B. Detail

C. Accuracy

D. Relevance

Answer 1

1. B. Although higher levels of detail can be useful, they aren’t a common measure used to assess threat intelligence. Instead, the timeliness, accuracy, and relevance of the information are considered critical to determining whether you should use the threat information.

Question 2

2- What language is STIX based on?

A. PHP

B. HTML

C. XML

D. Python

Answer 2

2. C. STIX is an XML-based language, allowing it to be easily extended and modified while also using standard XML-based editors, readers, and other tools.

Question 3

3- Kolin is a penetration tester who works for a cybersecurity company. His firm was hired to conduct a penetration test against a health-care system, and Kolin is working to gain access to the systems belonging to a hospital in that system. What term best describes Kolin’s work?

A. White hat

B. Gray hat

C. Green hat

D. Black hat

Answer 3

3. A. Attacks that are conducted as part of an authorized penetration test are white-hat hacking attacks, regardless of whether they are conducted by internal employees or an external firm. Kolin is, therefore, engaged in white-hat hacking. If he were acting on his own, without authorization, his status would depend on his intent. If he had manicous intent, his activity would be considered black-hat hacking. If he simply intended to report vulnerabilities to the hospital, his attack would be considered gray hat. Green hat is not a commonly used category of attacker.

Question 4

4- Which one of the following attackers is most likely to be associated with an APT?

A. Nation-state actor

B. Hacktivist

C. Script kiddie

D. Insider

Answer 4

4. A. Advanced persistent threats (APTs) are most commonly associated with nation-state actors. It is unlikely that an APT group would leverage the unsophisticated services of a script kiddie. It is also unlikely that a hacktivist would have access to APT resources. Although APTs may take advantage of insider access, they are most commonly associated with nation-state actors.

Question 5

5- What organizations did the U.S. government create to help share knowledge between organizations in specific verticals?

A. DHS

B. SANS

C. CERTS

D. ISACs

Answer 5

1. D. The U.S. government created the Information Sharing and Analysis Centers (ISACs). ISACs help infrastructure owners and operators share threat information, and provide tools and assistance to their members.

Question 6

6- Which of the following threat actors typically has the greatest access to resources?

A. Nation-state actors

B. Organized crime

C. Hacktivists

D. Insider threats

Answer 6

6. A. Nation-state actors are government sponsored, and they typically have the greatest access to resources, including tools, money, and talent.

Question 7

7- Of the threat vectors listed here, which one is most commonly exploited by attackers who are at a distant location?

A. Email

B. Direct access

C. Wireless

D. Removable media

Answer 7

7. A. Email is the most common threat vector exploited by attackers who use phishing and other social engineering tactics to gain access to an organization. The other vectors listed here, direct access, wireless, and removable media, all require physical proximity to an organization and are not easily executed from a remote location.

Question 8

8- Which one of the following is the best example of a hacktivist group?

A. Chinese military

B. U.S. government

C. Russian mafia

D. Anonymous

Answer 8

8. D. The Chinese military and U.S. government are examples of nation-state actors and advanced persistent threats (APTs). The Russian mafia is an example of a criminal syndicate. Anonymous is the world’s most prominent hacktivist group.

Question 9

9- What type of assessment is particularly useful for identifying insider threats?

A. Behavioral

B. Instinctual

C. Habitual

D. IOCs

Answer 9

9. A. Behavioral assessments are very useful when you are attempting to identify insider threats. Since insider threats are often hard to distinguish from normal behavior, the context of the actions performed—such as after-hours logins, misuse of credentials, logins from abnormal locations, or abnormal patterns—and other behavioral indicators are often used.

Question 10

10- Cindy wants to send threat information via a standardized protocol specifically designed to exchange cyber threat information. What should she choose?

A. STIX 1.0

B. OpenIOC

C. STIX 2.0

D. TAXII

Answer 10

10. D. TAXII, the Trusted Automated eXchange of Indicator Information protocol, is specifically designed to communicate cyber threat information at the application layer. OpenIOC is a compromise indicator framework, and STIX is a threat description language.

Question 11

11- Greg believes that an attacker may have installed malicious firmware in a network device before it was provided to his organization by the supplier. What type of threat vector best describes this attack?

A. Supply chain

B. Removable media

C. Cloud

D. Direct access

Answer 11

11. A. Tampering with equipment before it reaches the intended user is an example of a supply chain threat. It is also possible to describe this attack as a direct access attack because it involved physical access to the device, but supply chain is a more relevant answer. You should be prepared to select the best possible choice from several possible correct answers when you take the exam. Security+ questions often use this type of misdirection.

Question 12

12- Ken is conducting threat research on Transport Layer Security (TLS) and would like to consult the authoritative reference for the protocol’s technical specification. What resource would best meet his needs?

A. Academic journal

B. Internet RFCs

C. Subject matter experts

D. Textbooks

Answer 12

12. B. All of these resources might contain information about the technical details of TLS, but Internet Request for Comments (RFC) documents are the definitive technical standards for Internet protocols. Consulting the RFCs would be Ken’s best option.

Question 13

13- Wendy is scanning cloud-based repositories for sensitive information. Which one of the following should concern her most, if discovered in a public repository?

A. Product manuals

B. Source code

C. API keys

D. Open source data

Answer 13

13. C. All of these items could be concerning, depending on the circumstances. However, API keys should never be found in public repositories because they may grant unauthorized individuals access to information and resources.

Question 14

14- Which one of the following threat research tools is used to visually display information about the location of threat actors?

A. Threat map

B. Predictive analysis

C. Vulnerability feed

D. STIX

Answer 14

14. A. Threat maps are graphical tools that display information about the geographic locations of attackers and their targets. These tools are most often used as interesting marketing gimmicks, but they can also help identify possible threat sources.

Question 15

15- Vince recently received the hash values of malicious software that several other firms in his industry found installed on their systems after a compromise. What term best describes this information?

A. Vulnerability feed

B. IoC

C. TTP

D. RFC

Answer 15

15. B. Specific details of attacks that may be used to identify compromises are known as indicators of compromise (IoCs). This data may also be described as an adversary tool, tactic, or procedure (TTP), but the fact that it is a set of file signatures makes it more closely match the definition of an IoC.

Question 16

16- Ursula recently discovered that a group of developers are sharing information over a messaging tool provided by a cloud vendor but not sanctioned by her organization. What term best describes this use of technology?

A. Shadow IT

B. System integration

C. Vendor management

D. Data exfiltration

Answer 16

16. A. The developers in question are using unapproved technology for business purposes. This is the classic definition of shadow IT. It is possible to describe this as data exfiltration, but there is no indication that the data security has been compromised, so shadow IT is a better description here. Remember, you will often be asked to choose the best answer from multiple correct answers on the exam.

Question 17

17- Tom’s organization recently learned that the vendor is discontinuing support for their customer relationship management (CRM) system. What should concern Tom the most from a security perspective?

A. Unavailability of future patches

B. Lack of technical support

C. Theft of customer information

D. Increased costs

Answer 17

17. A. Tom’s greatest concern should be that running unsupported software exposes his organization to the risk of new, unpatchable vulnerabilities. It is certainly true that they will no longer receive technical support, but this is a less important issue from a security perspective. There is no indication in the scenario that discontinuing the product will result in the theft of customer information or increased costs.

Question 18

18- Which one of the following information sources would not be considered an OSINT source?

A. DNS lookup

B. Search engine research

C. Port scans

D. WHOIS queries

Answer 18

18. C. Port scans are an active reconnaissance technique that probe target systems and would not be considered open source intelligence (OSINT). Search engine research, DNS lookups, and WHOIS queries are all open source resources.

Question 19

19- Edward Snowden was a government contractor who disclosed sensitive government documents to journalists to uncover what he believed were unethical activities. Which two of the following terms best describe Snowden’s activities? (Choose two.)

A. Insider

B. State actor

C. Hacktivist

D. APT

E. Organized crime

Answer 19

19. A, C. As a government contractor, Snowden had authorized access to classified information and exploited this access to make an unauthorized disclosure of that information. This clearly makes him fit into the category of an insider. He did so with political motivations, making him fit the category of hacktivist as well.

Question 20

20- Renee is a cybersecurity hobbyist. She receives an email about a new web-based grading system being used by her son’s school and she visits the site. She notices that the URL for the site looks like this: https://www.myschool.edu/grades.php studentID=1023425. She realizes that 1023425 is her son’s student ID number and she then attempts to access the following similar URLs:

https: //www.myschool.edu/grades.php&studentID=1023423
https: //www.myschool.edu/grades.php&studentID=1023424
https: //www.myschool.edu/grades.php&studentID=1023426
https: //www.myschool.edu/grades.php&studentID=102342721. When she does so, she accesses the records of other students. She closes the records and immediately informs the school principal of the vulnerability. What term best describes Renee’s work?

A. White-hat hacking

B. Green-hat hacking

C. Gray-hat hacking

D. Black-hat hacking

Answer 20

20. C. Renee was not authorized to perform this security testing, so her work does not fit into the category of white-hat hacking. However, she also does not have malicious intent, so her work cannot be categorized as a black-hat attack. Instead, it fits somewhere in between the two extremes and would best be described as gray-hat hacking.