CySA+ Flashcards

Question 1

Q

Sysmon

Answer

A

System Monitor tool that is part of Sysinternals. Logs activity to Event Monitor, and incorporates XML config files to establish rules to alert on (exclude typical Microsoft activity, look for this malicious behavior, etc)

Question 2

Q

Stored or Reflected XSS

Answer

A

Cross-site Scripting attack where an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way.

Example- script posted in a comment on a message board that then loads for any user that visits the page.

Question 3

Q

Blind XSS

Answer

A

A form of Stored XSS. Attacker injects the malicious script or payload ‘blindly’ on some web pages without having any assurance that it will be executing. Web pages that are likely to save their payload into the database are the most important carrier for Blind XSS attacks.

Example- script posted into a Reporting form on a website

Question 4

Q

Exact Data Match

Answer

A

EDM
Structured database of string values to match, used in DLP

Example- could store hashes of credit card numbers, then if DLP thinks a credit card number is being exported, hash it and see if the value matches in EDM.

Question 5

Q

SDL

Answer

A

Security Development Lifecycle
Microsoft’s security framework for application development that supports dynamic development processes

Question 6

Q

Rootkit

Answer

A

Class of malware that modifies system files (often at the kernel level) to conceal its presence and establish persistence

Question 7

Q

Buffer Overflow

Answer

A

Attack where data goes past the boundary of the destination buffer and begins to corrupt adjacent memory

Question 8

Q

Smash the Stack

Answer

A

Attacker fills up the buffer with NOP (No Operation) so that the return address may hit a NOP and continue on until it finds the attacker’s code to run

Question 9

Q

Heap Overflow

Answer

A

Vulnerability where software attempts to move data from one location in memory into a fixed-length buffer allocated on the heap, which is too small to hold the data.

Question 10

Q

Dereferencing

Answer

A

Software vulnerability that occurs when the code attempts to remove the relationship between a pointer and the thing it points to

Question 11

Q

How can we mitigate race conditions?

Answer

A

Develop applications to not process things sequentially if possible.
Implement a locking mechanism within the app to provide exclusive access to that resource- for example SharePoint files get “checked out” and can’t be edited by someone else

Question 12

Q

icacls

Answer

A

Windows command-line utility that IT admins can use to change access control lists on files and folders.

Question 13

Q

Which coding languages are especially vulnerable to buffer overflow attacks?

Answer

A

C and C++, as strcpy does not perform boundary checking of buffers

Question 14

Q

How can we mitigate overflow attacks?

Answer

A

Proper input validation
Proper boundary checking
Use ASLR (address space layout randomization)
Run programs with least privilege

Question 15

Q

SEV

Answer

A

Secure Encrypted Virtualization
AMD Processor Security Extension

Question 16

Q

SGX

Answer

A

Software Guard Extensions
Intel Processor Security Extension

Question 17

Q

ASLR

Answer

A

Address Space Layout Randomization
Technique that hinders some types of security attacks by making it more difficult for an attacker to predict target addresses by randomly arranging theaddress spacepositions of key data areas of aprocess, including the base of theexecutableand the positions of thestack,heapandlibraries.

Question 18

Q

SME

Answer

A

Secure Memory Encryption
AMD Processor Security Extension

Question 19

Q

TXT

Answer

A

Trusted Execution Technology
Intel Processor Security Extension

Question 20

Q

Modbus

Answer

A

Communications protocol used in OT networks

Question 21

Q

Vehicular Vulnerabilites

Answer

A

Exploit over onboard cellular
Exploit over onboard WiFi
Attach exploit to the OBD-II

Question 22

Q

Masquerading

Answer

A

Dropper replaces legitimate executable with a malicious one (malicious one masquerades as legitimate one)

Question 23

Q

DLL Injection

Answer

A

DLL injection is a method of executing arbitrary code in the address space of a separate live process.

Question 24

Q

DLL Sideloading

Answer

A

Malicious DLL is loaded as part of a legit program that has a vulnerability that was exploited

Question 25

Q

Process Hollowing

Answer

A

Dropper starts process in a suspended state, then rewrites the memory locations containing the process code with the malware code

Question 26

Q

Military Data Classifications

Answer

A

Unclassified- no restrictions
Classified- viewing restricted to authorized persons within organization or to third parties under NDA
Confidential- highly sensitive, only for approved persons within org (and MAYBE trusted third parties under NDA)
Secret- valuable info, viewing must be severely restricted
Top Secret- info that would cause grave danger if inadvertently disclosed

Question 27

Q

SOX

Answer

A

Sarbanes-Oxley Act
Law in regards to an organization’s financial and business operations- specifies what types of documents need to be kept and for how long (auditing)

Question 28

Q

GLBA

Answer

A

Gramm-Leach-Bliley Act
Sets forth requirements that help protect the privacy of an individual’s financial information that is held by financial institutions or others that may store it

Question 29

Q

FISMA

Answer

A

Federal Information Security Management Act
Sets forth requirements for federal organizations to adopt information assurance controls

Question 30

Q

Data Steward

Answer

A

Role focused on the quality of the data and associated metadata

Question 31

Q

ISA

Answer

A

Interconnection Security Agreement
Document that regulates security-relevant aspects of an intended connection between a government agency and an external system

Question 32

Q

PUF

Answer

A

Physically Unclonable Function
A physical entity embodied in a physical structure, usually implemented in integrated circuits. These physical variances can actually be used in cryptographic functions.

Question 33

Q

Secure Enclave

Answer

A

Provides CPU hardware-level isolation and memory encryption on every server, by isolating application code and data from anyone with privileges, and encrypting its memory. With additional software, secure enclaves enable the encryption of both storage and network data for simple full stack security. Secure enclave hardware support is built into all new CPUs from Intel and AMD.

Question 34

Q

EMM

Answer

A

Enterprise Mobility Management
MDM suite with broader capabilities such as IAM

Question 35

Q

Insecure Components

Answer

A

Any code that is used or invoked outside the main program development process-
Code Reuse
Using a third-party library
Software Development Kit

Question 36

Q

Field Bus

Answer

A

Digital serial data communications used in OT networks to link PLCs

Question 37

Q

TPM

Answer

A

Trusted Platform Module
Hardware in COMPUTER that assists with cryptographic functions

Question 38

Q

Trusted Execution

Answer

A

CPU’s security extensions invoke a TPM and secure boot attestation to ensure that a trusted OS is running

Question 39

Q

PLC

Answer

A

Programmable Logic Controller
Type of computer designed for deployment in an industrial or outdoor setting that can automate and monitor mechanical systems

Question 40

Q

Firmware

Answer

A

Programming that is written directly to a hardware device’s static memory. It is used to run user programs on the device and can be thought of as the software that enables hardware to run.
Firmware has complete control over hardware and system memory, thereby making it a lucrative target

Question 41

Q

COSO

Answer

A

Committee of Sponsoring Organizations of the Treadway Commission
Provides guidance on a variety of governance related topics including fraud, controls, finance and ethics

Question 42

Q

Error Handler

Answer

A

Coding methods to anticipate and deal with exceptions thrown during execution of a process

Question 43

Q

When you find a suspicious process, what things should you consider?

Answer

A

Identify how the process interacts with the Registry and file system
How is it being launched?
Is the image file located in system folder or a temp folder?
What files are being manipulated by the process?
Does the process restore itself upon reboot after deletion?
Does a system privilege or service get blocked if you delete the process?
Is the process interacting with the network?

Question 44

Q

HTTP Response Codes- 4xx Range

Answer

A

These are client-side errors.
400- request couldn’t be parsed by server
401- request didn’t supply authentication credentials
403- insufficient permissions
404- requested resource doesn’t exist

Question 45

Q

Covert Channels

Answer

A

Transmitting data over nonstandard port
Encoding data in TCP/IP packet headers
Segmenting data into multiple packets and sending spread out
Obfuscation by using HEX
Transmitting encrypted data

Question 46

Q

Fileless Detection Techniques

Answer

A

Techniques that require analysis of the contents of system memory and of process behavior rather than scanning the file system

Question 47

Q

When analyzing firewall logs, what four types of useful security data can be provided?

Answer

A

Connections that are permitted or denied
Port and protocol usage within network
Bandwidth utilization with the duration and volume of usage
Audit log of all address translations that occurred

Question 48

Q

ALE and how to calculate

Answer

A

Annual Loss Expectancy
Multiply SLE (Single Loss Expectancy) by ARO (Annual Rate of Occurrence)
Example- if SLE is $2500, and it will likely happen 4 times, the ALE would be $10,000

Question 49

Q

NIST Cybersecurity Framework

Answer

A

Risk-based framework that is focused on IT security over IT service provision.
FRAMEWORK CORE identifies five key functions (Identify, Protect, Detect, Respond, Recover) with subcategories
IMPLEMENTATION TIERS see how closely the FRAMEWORK CORE functions are integrated with org’s overall risk management process
FRAMEWORK PROFILES show current/target outcomes to identify where it is best to invest to close the gap in any cybersecurity capabilities

Question 50

Q

Footprinting

Answer

A

Use of tools to map out layout of a NETWORK, usually in terms of
IP address usage
Routing topology
DNS namespace

Question 51

Q

Fingerprinting

Answer

A

Use of tools that perform HOST SYSTEM DETECTION to map out data like
Open ports
OS type and version
File shares
Running services/applications
System uptime
Other useful metadata

Question 52

Q

nmap -sV

Answer

A

Probe open ports to determine service/version info

Question 53

Q

nmap -A

Answer

A

Enable OS detection, version detection, script scanning and traceroute

Question 54

Q

Secure Erase

Answer

A

Sanitizing solid-state device using manufacturer provided software

Question 55

Q

ROSI

Answer

A

Return on Security Investment
Is a security control worth the cost of deploying and maintaining it?
((ALE-ALE with mitigation in place) - Cost of mitigation)/Cost of mitigation

Question 56

Q

nmap -f or –mtu

Answer

A

Fragmentation, splits TCP header of each probe between multiple IP datagrams to make it hard for IDS/IPS to detect

Question 57

Q

Reconstruction

Answer

A

Method of restoring a system that has been sanitized using scripted installation routines and templates

Question 58

Q

nmap -sS

Answer

A

TCP SYN scan, or “half open” scan
Sends a SYN packet to identify the port state without sending back an ACK afterwards
Requires root privileges on system you’re scanning from

Question 59

Q

WRT

Answer

A

Work Recovery Time
Length of time in addition to the RTO of individual systems to perform reintegration and testing of a restored or upgraded system following an event

Question 60

Q

Enterprise Security Architecture

Answer

A

Framework for defining the baseline, goals, and methods to secure a business

Question 61

Q

RPO

Answer

A

Recovery Point Objective
Goal for maximum amount of DATA organization can tolerate losing. Measured in time

Question 62

Q

RTO

Answer

A

Recovery Time Objective
Goal an organization sets for maximum length of time it should take to restore normal ops following an outage

Question 63

Q

CDM

Answer

A

Continuous Diagnostics and Mitigation
Provides US gov. agencies/departments with capabilities and tools to identify cybersecurity risks on ongoing basis, prioritize them based on potential impact, and enable cybersecurity personnel to mitigate the most significant problems

Question 64

Q

CVSS and Categories

Answer

A

Common Vulnerability Scoring System
Way to quantify vulnerability data and then take into account degree of risk to different types of system info
0- no risk
0.1-3.9- Low
4.0-6.9- Medium
7.0-8.9- High
9.0-10.0- Critical

Answer 65

A

Request for Change
Document that lists the reason for a change and the procedures to implement that change

Answer 66

A

Spoofing tool that allows crafting of network packets to exploit vulnerable IDS/IPS

Answer 67

A

Command line tool used to brute-force WPS enabled accessed points. WPS used 8 digit points so very easy to hack into

Answer 68

A

Printers
VoIP phones
Embedded Systems

Answer 69

A

SERVICE ACCOUNTS, not local admins

Answer 70

A

Command line tool used to poison responses to NetBIOS, LLMNR and MDNS name resolution requests in an attempt to perform a Man in the Middle attack.
Intercepts request and the returns attacker IP as the name record

Answer 71

A

Suite of utilities designed for wireless network security testing

Answer 72

A

Utility in Aircrack-ng
Enable/disable monitor mode on cards

Answer 73

A

Utility in Aircrack-ng
Capture wireless frames

Answer 74

A

Utility in Aircrack-ng
Deauth users and impersonate

Answer 75

A

Utility in Aircrack-ng
Extract auth key and retrieve plaintext password- only works on WEP networks

Answer 76

A

Command line tool used to perform brute force and dictionary attacks against password hashes
Uses GPU to perform brute force cracking faster

Answer 77

A

Attack method where input characters are encoded in such a way as to evade vulnerable input validation measures
Example- using %2e%2e%2f in place of ../

Answer 78

A

Technique that defends against SQL injection and insecure object references by incorporating placeholders in a SQL query

Basically says “only use these formats”

Answer 79

A

A type of session hijacking in which attacker alters, forges, hijacks an otherwise valid cookie sent back to a server to steal data, bypass security, or both

Answer 80

A

Attacker executes a script to inject a remote file INTO the web app or website. Example- embedding a hidden URL into the request to have it execute a script hosted on another site

Answer 81

A

Attacker adds a file to the web app or website that already exists on the hosting server. Example- using directory traversal to try and get the web server to allow a command prompt

Answer 82

A

Coding vulnerability where unvalidated input is used to select a resource object like a file or database
To mitigate, implement access control techniques in applications to verify a user is authorized to access a specific object

Answer 83

A

Encryption or Input Validation

Answer 84

A

A string is stripped of illegal characters or substrings and converted to the accepted character set

Answer 85

A

Coding method to sanitize output by converting untrusted output to a SAFE FORM where the input is DISPLAYED AS DATA to the user WITHOUT EXECUTING AS CODE in the browser

Answer 86

A

Request user-specific tokens in all form submissions

Answer 87

A

Secure- instructs client’s web browser to only send cookie if its over secure channel (HTTPS)
HTTP Only- disables access from client-side scripting to your cookie, can only access via HTTP
Domain- sets domain of server that cookie is valid for, limits who has access
Path- Specify URL path for which cookie is valid
Expires- specify when persistent cookie expires

Answer 88

A

Frame busting- a technique that removes the malicious iframe loaded on a site by forcing a specific page to the top frame. Can be implemented using Javascript or by setting X-FRAME-OPTIONS to DENY

Answer 89

A

XML encodes entities that expand to exponential sizes, consuming memory on the host and potentially crashing it.

Used in Billion Laughs Attack, which would define 10 entities that each defined as consisting of 10 of the previous entity, which eventually expands to one billion copies of the first entity. This would most likely exceed computer memory.
The first entity was LOL, by the way.

Answer 90

A

XML External Entity
Type of attack against an application that parses XML input
Occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser
Attack can lead to disclosure of confidential data, DoS, server side request forgery, etc

Answer 91

A

Cross-site Scripting
User trusts a badly implemented website
Attacker injects a script into the trusted website
User’s browser executes attacker’s script

Answer 92

A

Cross-Site Request Forgery
A badly implemented website trusts the user
Attacker tricks user’s browser into issuing requests
Website executes the attacker’s requests

Answer 93

A

Applications should ONLY send data between authenticated hosts using encryption to protect the session
Do NOT use hardcoded credentials in the application
Disable use of client password autocomplete features, temporary files, and cookies

Answer 94

A

Form of XSS that targets the Document Object Model on websites. Never reaches the server and instead executes in the user’s browser.

Example- a page designed to take a user’s name and display it on the webpage could have scripting executed in it if a malicious url was sent to the user. Then when they navigate to this page, it executes the script and makes the page look completely different

Answer 95

A

Creates and updates inventory of assets by conducting enumeration of network without scanning for vulnerabilities

Answer 96

A

Extensible Configuration Checklist Description Format
A structured collection of security configuration rules for some set of target systems. Written in XML

Answer 97

A

Open Vulnerability and Assessment Language
XML schema for describing system security state and querying vulnerability reports and information

Answer 98

A

Security Content Automation Protocol
NIST Framework that outlines acceptable practices for vulnerability scanning and standardizes the format and descriptive language with which software flaws and security configuration information is communicated, both to machines and humans.

Answer 99

A

Sysinternals utility that allows you to verify root certificates in the local store against Microsoft’s master trust list

Answer 100

A

Access Complexity
High or Low

Answer 101

A

Common Configuration Enumeration
Scheme for provisioning secure configuration checks across multiple sources

Answer 102

A

Software development method where application and platform requirements are frequently tested and validated for immediate availability

Answer 103

A

Software development method where code updates are tested and committed to a dev or build server/code repository rapidly

Answer 104

A

Opensource cloud penetration testing framework to test the security configuration of an AWS account

Answer 105

A

Auditing tool for AWS that evaluates the cloud infrastructure against AWS benchmarks, GDPR compliance, and HIPAA compliance

Answer 106

A

Open-source tool written in Python that can audit instances and policies created on multicloud platforms

Answer 107

A

Cross Origin Resource Sharing Policy
A CDN policy that instructs the browser to treat requests from nominated domains as safe
Weak CORS policies can expose site to XSS vulnerabilities

Answer 108

A

API must only be used over an encrypted channel
Data received by an API must pass server-side validation routines
Error messages should be sanitized
Implement throttling/rate limiting mechanisms to protect from a DoS
APIs should use secure authentication and authorization such as SAML or OAuth/OIDC before accessing data

Answer 109

A

Function as a Service
Cloud service model that supports serverless software architecture by provisioning runtime containers in which code is executed in a particular programming language

“Run things and make applications without having our own servers”

Answer 110

A

Automation tool that uses YAML files rather than user agents

Answer 111

A

Command line tool to transfer data from or to a server, using protocols like HTTP, FTP, etc

Answer 112

A

Security Assertions Markup Language
XML-based data format used to exchange authentication info between a client and a service
Provides SSO and federated identity management

Answer 113

A

Simple Object Access Protocol
XML-based web services protocol that is used to exchange messages between applications

Answer 114

A

Enterprise Service Bus
Common component of SOA (service oriented architecture) that facilitates decoupled service-to-service communication

Answer 115

A

Service Oriented Architecture
Software architecture where components of the solution are conceived as loosely coupled services not dependent on a single platform type or technology
Each piece can be produced/tested separately
Each service takes defined inputs and produces defined outputs
An overall architecture for mapping business workflows to the IT systems that support them

Answer 116

A

Most widely used web app scanner. Free and open source.

Answer 117

A

Man in the middle software that sits between a client and server and allows requests/responses to be analyzed and modified

Answer 118

A

Proprietary tool for performing security testing of web applications that supports the entire testing process, from initial mapping and analysis of attack surface to finding and exploiting security vulnerabilities

Answer 119

A

Open source web application scanner with a GUI, makes findings a lot easier to take in

Answer 120

A

Widely used vulnerability scanner that can identify known web server vulnerabilities and misconfigurations, identify web appliances running on a server, and identify potential known vulnerabilities in those web applications

Command-line only, so data can be challenging to digest

Answer 121

A

Open-source tool that converts an OS to a relational database so that you can perform easy analytics using SQL queries

Answer 122

A

Dynamic code analysis technique that involves sending a running application random and unusual input to evaluate how the application responds

Answer 123

A

Dynamic testing tool used to analyze software as it executes

Answer 124

A

Using an obfuscator

Answer 125

A

Interactive Disassembler
Popular cross-platform disassembler and decompiler used by reverse engineers

Answer 126

A

Pseudocode

Answer 127

A

Reverse engineering tool that converts machine code or assembly language to code in a specific higher-level language or psuedocode

Answer 128

A

Type of reverse engineering software that converts machine language code into assembly language code

Answer 129

A

User Acceptance Training
Beta testing by the end users that proves a program is usable and fit-for-purpose in real-world conditions

Answer 130

A

Process of validating software design through mathematical modeling of expected inputs and outputs

Answer 131

A

regedit doesn’t display last modification time of a value by default. Changes to registry are a major IoC so not knowing when a change happened is not good.
Use regdump, which will dump contents of registry to a text file for analysis

Answer 132

A

Information- successful events
Warning- not necessarily a problem but could end up one
Error- significant problems which could inhibit functionality
Audit success/failure- only in security logs

Answer 133

A

Manages access to user desktop and loading user profile through userinit.exe

Answer 134

A

Special kind of process that hosts threads that only run in kernel mode
PID is ALWAYS 4

Answer 135

A

Client Server Runtime Subsystem
User mode side of Windows subsystem, and responsible for process thread creation and deletion. Always running, CRITICAL to system operation. If terminated, will result in system failure.

Answer 136

A

Windows Initialization Process
Responsible for launching services.exe, lsass.exe, and lsaiso.exe within session 0

Answer 137

A

Responsible for creating new sessions

Answer 138

A

Service Control Manager (SCM)- handles system services like svchost.exe, dllhost.exe, and many others

Answer 139

A

Service Host- responsible for hosting and managing Windows services.
These services are implemented as DLLs stored in the Registry.
When it calls upon a service it uses the -k flag.

Answer 140

A

Local Security Authority Subsystem- enforces security policy on system. Handles authentication/authorization services for the system, and writes to Windows Security Log

Answer 141

A

Reverse engineer code used by the processes
Discover how processes interact with the file system and Registry
Examine network connections
Retrieve cryptographic keys
Extract strings

Answer 142

A

Are security services prevented from running?
Is the process running the service compromised?
Is the service disabled by a DDoS?
Is there excessive bandwidth usage?

Answer 143

A

Detect
Destroy (probably only in a government agency, hack back is illegal)
Degrade
Disrupt
Deny
Deceive

Answer 144

A

Windows Explorer
Gives users access to their folders and files
Provides functionality to start menu, task bar, etc

Answer 145

A

Achieve persistence- modifying Registry Key entries
Delete Registry Keys to clean up prior activity
Modify Registry Keys to conceal payloads/commands used to maintain persistence

Answer 146

A

Analyzing save state files
VM introspection

Answer 147

A

Configure firewalls to allow only whitelisted ports to communicate on ingress/egress interfaces
Config documentation should also show which server ports are allowed on any given host type
Configure detection rules to alert on mismatched protocol usage over a standard port

Answer 148

A

Suite of tools designed to assist with troubleshooting issues with Windows
Many of these tools are suited to investigating security issues

Answer 149

A

Uses tools installed to the hypervisor to retrieve pages of memory for analysis

Answer 150

A

Place where an adversary begins to collect data in preparation for exfiltration. Data is often compressed and encrypted.
Temp files or folders
User profile locations
Data masked as logs
Alternate Data Streams

Answer 151

A

Detecting these attacks can be very difficult as it can’t be differentiated from legitimate authentication
Most AV will block tools that allow this such as Mimikatz
Restrict and protect high privileged accounts (Domain admin, local admin)
Restrict inbound traffic to workstations using firewall

Answer 152

A

Data Exfiltration
Insider Data Exfiltration
Device Theft/Loss
Accidental Data Breach
Integrity/Availability Breach (corruption of data, destruction of system, etc)

Answer 153

A

Linux command that displays a list of users who are currently logged into the computer

Answer 154

A

Tools that can help identify suspicious service activity even when antimalware fails to identify it
Task Manager
Windows Services Manager (services.msc)
net start (command line)
Get-Service (Powershell)

Answer 155

A

Windows command to start a network service or list running network services.

Answer 156

A

Indicators that a legitimate process has been corrupted with malicious code
Process making changes to registry file without permission
Accessing data files in temp locations
Using the network for malicious activity

Answer 157

A

Responsible for:
Forwarding traffic
Encrypting traffic
NAT
Filtering traffic with ACLs

Answer 158

A

Makes decisions about how traffic should be prioritized and secured, and where it should be switched

Answer 159

A

Monitors traffic conditions and network status

Answer 160

A

Install, update, validate trusted root certificates
Deploying, updating, revoking subject certificates
Preventing use of self-signed certificates
SSH Key Management

Answer 161

A

Windows utility that allows you to display certificate authority configuration info, configure certificate services, verify certificate’s key pair and certificate chains

Answer 162

A

Library of software functions supporting the SSL/TLS protocol
Has commands to create/view digital certificates, generate private keys, test TLS/SSL functions

Answer 163

A

Center for Internet Security
Not-for-profit org that publishes well-known “Top 18 Critical Security Controls”

Answer 164

A

1- Inventory and control of authorized devices
2- Inventory and control of authorized software
3- Data protection
4- Secure configuration of assets and software
5- Account management

Answer 165

A

Common Platform Enumeration
Scheme for identifying hardware devices, operating systems, and applications

Answer 166

A

Common Attack Pattern Enumeration and Classification
Knowledge base maintained by MITRE

Answer 167

A

Real time log analysis to ID suspicious traffic and redirect to sinkhole or black hole
Use geolocation/IP reputation data to redirect/ignore suspicious traffic
Aggressively close slower connections by reducing timeouts on affected servers
Use caching and backend infrastructure to offload processing to other servers
Utilize enterprise DDoS protection services

Answer 168

A

Linux tool that retrieves a list of all files currently open on the OS
Quickly get a list of all resources a process is currently using

Answer 169

A

Don’t recognize process name
Name similar to legit process (scvhost vs svchost)
Appears without an icon, version info, description, company name
Unsigned, especially if it claims to be from a well known company
Digital signature doesn’t match identified publisher
Doesn’t have parent/child relationship with principal Windows process
Hosted by utilities like Explorer, Notepad, Task Manager, etc
Packed or compressed (highlighted purple in Process Explorer)

Answer 170

A

Contains info that Windows continually references during operation, which is necessary info for configuration:
User profiles
Installed applications
Types of documents users/apps can create
Hardware on system
Ports being used

Answer 171

A

Process of peer review of uncompiled source code by other developers

Answer 172

A

Windows- shimmed/injected into a host process by making it load the malicious code as a DLL
Linux- often injected into Shared Objects (.so files)

Answer 173

A

Physical hosts AND virtual hosts

Answer 174

A

Transport Layer Security (TLS) is a widely adopted security protocol designed to facilitate privacy and data security for communications over the internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website.

Answer 175

A

Secure Sockets Layer; all three versions are considered obsolete and insecure

Answer 176

A

Group Policy Object
A group policy is used to manage Windows systems in a Windows network domain environment utilizing a Group Policy Object (GPO). GPOs can include many settings related to credentials, such as password complexity requirements, password history, password length, and account lockout settings. You can force a reset of the default administrator account password by using a group policy update.

Answer 177

A

which bash
By executing the “which bash” command, the system will report the file structure path to where the bash command is being run. If the directory where bash is running is different from the default directory for this Linux distribution, this would indicate a compromised machine.

Answer 178

A

Tombstone

Answer 179

A

Intel-designed mechanism to allow software instructions to blow a transistor in the hardware chip. One use of this is to prevent firmware downgrades, implemented on some game consoles and smartphones. Each time the firmware is upgraded, the updater blows an eFUSE. When there is a firmware update, the updater checks that the number of blown eFUSEs is not less than the firmware version number.

Answer 180

A

planning
requirements
design
implementation
testing
deployment
maintenance

Answer 181

A

Attack Surface

Answer 182

A

Advanced IDS and user behavior analytics tools are the best option, but they will not detect everything

Answer 183

A

A system feature that enables one system entity to signal information to another entity by directly or indirectly writing a storage location that is later directly or indirectly read by the second entity

Answer 184

A

Strong encryption of data both at rest and in transit

Answer 185

A

cron
systemctl
ps
top

Answer 186

A

Layer 5
Establishes connection between source and destination
Data divided into packets
Sessions are unique- data cannot travel across different sessions

Answer 187

A

Attacker accesses NTDS.DIT
Attacker dumps NTDS.DIT, exposing krbtgt
Uses krbtgt to craft Golden Ticket
Uses Golden Ticket to assume admin rights

Answer 188

A

Tool developed for sys admins as alternative to Telnet and other remote access services. Can be used by attackers for privilege escalation

Answer 189

A

Same query repeated several times when a bot is checking into a control server for more orders
Commands sent within request or response queries will be longer and more complicated than normal
Atypical query types being used (TXT, MX, CNAME, NULL)

Answer 190

A

Sensitive Personal Information (opinions, beliefs, etc)

Answer 191

A

Tool that allows you to search the file system for keywords quickly, including system areas such as Recycle Bin, NTFS shadow copy and system volume information

Answer 192

A

Attacker uses a host as a pivot and is then able to access one of its open TCP/IP ports to send traffic to a port of a host on a different subnet

Answer 193

A

Use digital certificates on endpoints and servers to authenticate, and encrypt traffic using IPSec or HTTPS

Answer 194

A

Using the -D flag sets up a local proxy and port forwarding
Attackers can chain proxy servers together in order to continue pivoting from host to host until they reach a mission critical host or server

Answer 195

A

Linux tool that retrieves how much disk space is being used by all mounted file systems and how much space is available for each

Answer 196

A

Linux tool that enables you to retrieve how much disk space each directory is using based on the specific directory

Answer 197

A

Windows command with some advanced functionality for file system analysis

Answer 198

A

Filters all file/folder types that match (x), such as dir /AH displays only hidden files and folders

Answer 199

A

Shows who owns each file in addition to standard info

Answer 200

A

Displays alternate data streams for a file

Answer 201

A

Port scanning or sweeps
Non standard port usage
Covert channels
Rogue Devices
Traffic Spikes

Answer 202

A

netcat
Swiss Army Knife of network administration
Made for reading from or writing to network connections
Port scanning
Remote administration
File transfer
Attackers can use for port listening or to create a backdoor

Answer 203

A

Network based attack where the attacker steals hashed user credentials and uses them as-is to try to authenticate to the same network the hashes came from
Attacker could obtain cached hash of local admin that had previously signed in and use this hash for privilege escalation
Only works if hash is stored on target system (user has signed in there before)

Answer 204

A

Install a WAF to analyze inbound requests

Answer 205

A

Scan based on compliance template or checklist
Ensure controls and configuration settings are properly applied to a given host

Answer 206

A

Comprehensive scan that forces the use of more plug-in types. Takes longer and there’s higher risk of causing service disruption

Answer 207

A

Analyzes hosts for unpatched software vulnerabilities and configuration issues

Answer 208

A

Artificial Neural Network

Answer 209

A

Process of incorporating new updates and information to an organization’s existing database to improve accuracy

Answer 210

A

Security Orchestration Automation and Response
Security tools that facilitate incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment
Primarily used for incident response

Answer 211

A

SIEM with an integrated SOAR

Answer 212

A

Checklist of actions to perform to detect and respond to a specific type of incident

Answer 213

A

Automated version of a playbook that leaves clearly defined interaction points for human analysis

Answer 214

A

Senior executive w/ ultimate responsibility for maintaining CIA of the information asset

Answer 215

A

Role responsible for handling the management of the system on which the data assets are stored

Answer 216

A

Responsible for the oversight of any PII/SPI/PHI assets managed by the company

Answer 217

A

Microprocessor manufacturing utility that is part of a validated supply chain (one where hardware and software does not deviate from its documented function)

Answer 218

A

Firmware update that is digitally signed by the vendor and trusted by the system before installation

Answer 219

A

Segmentation
Disabling unused services

Answer 220

A

There are bad sectors on the destination drive

Answer 221

A

Treats the specified search pattern as case insensitive

Answer 222

A

Identity Provider
Provides the validation of the user’s identity when using SAML for authentication

Answer 223

A

Perform a scan from on-site
If the organization’s network is set up correctly, scanning from off-site will be much more difficult as many of the devices will be hidden behind the firewall. By conducting an on-site scan, you can conduct the scan from behind the firewall and receive more detailed information on the various servers and services running on the internal network.

Answer 224

A

Suspend the machine and copy the contents of the directory it resides in

Answer 225

A

SEC- Security
PEI- Pre-EFI Initialization
DXE- Driver Execution Environment
BDS- Boot Device Select
TSL- Transient System Load
RT- Runtime

Answer 226

A

Should only be exposed to an isolated or dedicated network used for management and configuration

Answer 227

A

Ensuring the safety and security of all personnel
Prevent further exfiltration of data or prevent the ongoing intrusion from spreading

Answer 228

A

Eliminates information from being feasibly recovered even in a laboratory environment
Includes degaussing, encryption of data with the destruction of its encryption key, and other non-destructive techniques

Answer 229

A

A beacon can be sent over numerous protocols, including ICMP, DNS, HTTP, and numerous others. Unless you specifically knew the protocol being used by the suspected beacon, filtering out beacons by the protocol seen in the logs could lead you to eliminate malicious behavior prematurely.

Answer 230

A

10.x.x.x
172.16-31.x.x
192.168.x.x

Answer 231

A

Admins and analysts should not perform any actions on the network until they receive law enforcement guidance
Employees should receive guidance from law enforcement on what they should and should not say to people outside of the investigation

Answer 232

A

Walking around a building while attempting to locate wireless networks and devices

Answer 233

A

Attacker establishes a connection with a remote machine first (telnet, nc, proprietary connection)
Then sends a bad request
Causes a vulnerable host to respond with a banner message that reveals compromising information such as OS type, software version, etc

Answer 234

A

NIPS would either shut it down or block it

Answer 235

A

Reduce the frequency of scans (once every 48 hours, once every week)
Reduce the scope of scans (scan less systems or vulnerability signatures)
Add additional vulnerability scanners to the process

Answer 236

A

Cyber- use of hardware or software IT systems
Human- social engineering, coercion, impersonation, force
Physical- gaining local access

Answer 237

A

System on a network used to access and manage devices in a separate security zone

Answer 238

A

Full packet capture

Answer 239

A

Configure a virtual switch on the physical server and create VLANs

Answer 240

A

Polymorphic virus

Answer 241

A

Endpoint forensics

Answer 242

A

Sanitizes a self-encrypting drive by erasing the media encryption key and then reimaging the drive

Answer 243

A

Perform a cryptographic erase

Answer 244

A

Overwrites a storage device by setting all bits to the value of 0 but is not effective on SSDs or Hybrid Drives

Answer 245

A

Data is encrypted by an application prior to being placed on the data bus

Answer 246

A

Deidentification method where a unique token is substituted for real data

Answer 247

A

Deidentification technique where data is generalized to protect the individuals involved
“90% of subjects did not experience side effects”

Answer 248

A

Software Development Lifecycle

Answer 249

A

Software development model where the phases of the SDLC cascade so that each phase will start only when all tasks from the previous phase are complete

Answer 250

A

Software development model that focuses on iterative and incremental development to account for evolving requirements and expectations

Answer 251

A

Security framework for secure application development

Answer 252

A

Blind Testing
Security analyst receives no privileged information about the software

Answer 253

A

Basic Input/Output System
The software used to start your computer
Initializes CPU and memory
Conducts a Power on Self Test (POST)
Looks for a boot loader and starts the OS
Tells the computer how to do its most basic functions (handle input from keyboard)

Answer 254

A

Unified Extensible Firmware Interface
Defines a software interface between an OS and platform firmware

Answer 255

A

Full Disclosure Testing
Security analyst receives privileged info about the software such as source code and credentials

Answer 256

A

Security analyst receives partial disclosure of information about software

Answer 257

A

Open Web Application Security Project
Charity and community that publishes a number of secure application development resources

Answer 258

A

Sys Admin, Network, and Security Institute
Company specializing in cybersecurity and secure web application development training
Sponsors GIAC (Global Information Assurance Certification)

Answer 259

A

Vulnerability that allows attacker to run their own code

Answer 260

A

Vulnerability that allows an attacker to transmit code from a remote host for execution on a target host over the internet

Answer 261

A

Temporary storage area that a program uses to store data
Think of system memory as a table. There are glasses for water at each spot. Each glass can only contain so much water, and if it exceeds that, it can make a mess on the table. The glasses are buffers.

Answer 262

A

An attack in which a computed result is too large to fit in its assigned storage space, which may lead to crashing or data corruption, and may trigger a buffer overflow

Answer 263

A

Software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order/timing intended by the developer

Answer 264

A

Time of Check to Time of Use
Potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource

Answer 265

A

Real Time Operating System
Prioritizes execution of operations to ensure consistent response for time-critical tasks
For systems that cannot tolerate reboots or crashes and must have response times that are predictable to within microsecond tolerances

Answer 266

A

Human Machine Interface
Input and output controls on a PLC to allow a user to configure and monitor the system

Answer 267

A

Supervisory Control and Data Acquisition
Type of industrial control system that manages large scale, multisite devices and equipment spread over geographic region

Answer 268

A

Building Automation Systems
Components and protocols that facilitate the centralized configuration and monitoring of mechanical and electrical systems within offices and data centers

Answer 269

A

Controller Area Network
Digital serial data communications network used within vehicles

Answer 270

A

0- Emergency
1- Alert
2- Critical
3- Error
4- Warning
5- Notice
6- Informational
7- Debug
“Everyone Always Complains Even When Nothing Is Different”

Answer 271

A

Server-side issue
500- general error
502- bad gateway has occurred when the server is acting as a proxy
503- overloading of server is causing service unavailability
504- gateway timeout which means there’s an issue with the upstream server

Answer 272

A

Run any code at the highest level of CPU privilege

Answer 273

A

Hardware Security Module
High end cryptographic hardware used in large environments
Provides secured backup storage for keys
Uses cryptographic accelerators to offload CPU overhead from other devices

Answer 274

A

Hardware Root of Trust
TPM and HSM fall into this category
Designed to be difficult to change or avoid

Answer 275

A

Secure Boot
Measured Boot
Attestation

Answer 276

A

UEFI checks booting programs for known-good digital signature, will not run it if they don’t match

Answer 277

A

a feature where a log of all boot actions is taken and stored in a trusted platform module for later retrieval and analysis by anti-malware software on a remote server.

Answer 278

A

As part of UEFI, report is digitally signed using TPM’s private key, showing the data presented is valid

Answer 279

A

Certain operations that should only be performed once or not at all, such as initializing a memory location

Answer 280

A

System-on-Chip
Type of embedded application commonly used in mobile devices which contains integrated CPU, memory, graphics, audio, network, storage controllers, and software on one chip

Answer 281

A

Field Programmable Gate Array
A processor that can be programmed to perform a specific function by a customer rather than at the time of manufacture

Answer 282

A

A type of file signature, the first two bytes of a binary header that indicates its file type

Answer 283

A

Web Application Firewall
Designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks
Used to prevent things like injection attacks and XSS

Answer 284

A

Coordinated Universal Time
A time standard that is useful when your SIEM is collecting data from logs in multiple time zones

Answer 285

A

Network monitoring stem that detects changes in normal operating data sequences and identifies abnormal sequences
Generates alerts when there are deviations from a defined tolerance level from a given baseline
(Uses customer data)

Answer 286

A

Network monitoring system that uses a baseline of acceptable outcomes or event patterns to identify events that fall outside of the acceptable range
Generates alerts on any event or outcome that doesn’t follow a set pattern or rule.
(Uses prescribed patterns like an RFC or industry standard)

Answer 287

A

Matches a single instance of a character within
[a-z], [A-Z], [0-9], [a-zA-Z0-9] for alphanumeric characters

Answer 288

A

Quantifier, matches one or more occurrences
Ex- /apples+/ would match apples and applessss

Answer 289

A

Matches zero or more occurrences
Ex- /apples*/ would match apples, applessss but also apple

Answer 290

A

Using OSINT to gather info about a domain, such as subdomains, hosting provider, administrative contacts, etc

Answer 291

A

The OR logical operator

Answer 292

A

Defines a group

Answer 293

A

Will only match at the start of a line when searching

Answer 294

A

Will only match at the end of a line when searching

Answer 295

A

Capturing contents of disk drive while computer is still running
Contents can be change during acquisition (ex- user is connected remotely and making changes at the same time as investigator)

Answer 296

A

Computer shutdown through OS properly and then the disk is acquired
Malware may detect shutdown and perform anti-forensics

Answer 297

A

dd command- specify input file (if) and output file (of)
dd if =/dev/sda of=/mnt/flashdrive/evidence.dd

Answer 298

A

Open source command line tool for file carving that is used as part of The Sleuth Kit

Answer 299

A

Cisco developed means of reporting network flow information to a structured database
Creates flows and groupings for later review
Provides METADATA not FPC so will not provide a complete record of what happened

Answer 300

A

Requirements (Planning and Direction)
Collection and Processing
Analysis
Dissemination
Feedback
(repeat)

Answer 301

A

Matches 0 or 1 occurrences
Ex- /apples?/ would match apple or apples but not applessss

Answer 302

A

User and Entity Behavior Analytics
System that can provide automated identification of suspicious activity by user accounts and computer hosts
Compares against baseline data
Heavily reliant on AI or machine learning

Answer 303

A

Matches the number of times within the curly braces such as
\d{3} matching 3 digits
\d{7-10} matching 7 to10 digits

Answer 304

A

Identification
Collection
Analysis
Reporting

Answer 305

A

Extracting data from a computer when that data has no associated file system metadata (someone tried to delete it)
Attempts to piece together data fragments from slack space to reconstruct deleted files or at least parts of those files

Answer 306

A

Disable web admin interfaces and use SSH shells for access
Use ACLs to restrict access to designated host devices
Monitor the number of designated interfaces
Deny internet access for remote management (connect to VPN to get on LAN first)

Answer 307

A

Adversary’s use of random delay to try and throw off detecting connection attempt intervals. Used in beaconing to C2 servers

Answer 308

A

Active scanning engine installed on the enterprise console

Answer 309

A

Scans a range of IP addresses, shows which IP addresses are in use, and provides the following information: DNS name. System Name. Location.

Answer 310

A

This could mean:
The machines are unreachable
The community string being used is invalid
The machines are not running SNMP servers

Answer 311

A

Isolate the workstation by disabling the switch port and resetting the user’s credentials
Workstation should be imaged for analysis and then remediated or reimaged

Answer 312

A

Containment, eradication, and recovery

Answer 313

A

Blind SQL injection

Answer 314

A

Data Execution Prevention
Windows built-in memory protection resource
This prevents code from being run in pages that are marked as nonexecutable. DEP, by default, only protects Windows programs and services classified as essential, but it can be used for all programs and services, or all programs and services except the ones on an exception list.

Answer 315

A

To determine how a piece of malware operates
To allow an attacker to spot vulnerabilities in an executable
To commit industrial espionage

Answer 316

A

Security policy auditor in Windows

Answer 317

A

Service controller

Answer 318

A

Over the shoulder

Answer 319

A

Alternates between programmers, with one strategizing and reviewing it while the other enters the computer’s code

Answer 320

A

Fast flux DNS is being used for an attacker’s C2

Answer 321

A

nmap -sT (TCP connect scan)

Answer 322

A

a form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity (high scool, pet’s name, etc)

Answer 323

A

Includes the ethernet header during packet capture

Answer 324

A

Infrastructure as Code

Answer 325

A

FTK Imager

Answer 326

A

A cipher that is outdated and should not be used for any modern applications

Answer 327

A

User conducted a ping sweep of the subnet

Answer 328

A

Integer overflow attack

Answer 329

A

Allows backups of directories to include permissions, saved to a text file.

Answer 330

A

Used to restore the permissions from the backup created.

Answer 331

A

Utilize a secure recursive DNS resolver to a third-party secure DNS resolver

Answer 332

A

Focuses on technologies, settings, and configurations

Answer 333

A

Looks at how a function is performed or what it accomplishes

Answer 334

A

Describes how systems interconnect

Answer 335

A

SANS Investigative Forensics Toolkit
Group of free, open-source incident response and forensic tools designed to perform detailed digital forensic examinations in various settings.

Answer 336

A

COMMERCIALLY AVAILABLE forensics tools

Answer 337

A

TCP ACK
Whether ports are open or closed, the target is required to respond with an RST packet. Firewalls that block the probe usually make no response or send back an ICMP destination unreachable error. This distinction allows Nmap to report whether the ACK packets are being filtered.

Answer 338

A

Setting the secure attribute on the cookie
When a cookie has the Secure attribute, the user agent includes the cookie in an HTTP request only if transmitted over a secure channel (typically HTTPS).

Answer 339

A

Displays a list of domains, computers, or resources that are being shared by the specified computer. Used without parameters, net view displays a list of computers in your current domain.

Answer 340

A

Service Provider (SP)

Answer 341

A

Use a mathematical model of the inputs and outputs of a system to prove that the system works as specified in all cases.

Answer 342

A

GPS Location
NAC

Answer 343

A

Static Code Analysis

Answer 344

A

A strategy that strengthens an organization’s security posture by implementing multiple levels of protection, including inherently secure computer systems and protocols, high level encryption, and authentication. Called such since it implies the organization no longer relies on its network perimeter for security.
Essentially instead of walled cities we have a heavier police presence

Answer 345

A

The attack widely fragmented the image across the host file system

Answer 346

A

Adjacent
Attacker must launch the attack from the same shared physical (such as Bluetooth or Wi-Fi network), logical network (such as a local subnet), or a limited administrative domain (such as a VPN or MPLS)

Answer 347

A

Boot with Safe Mode

Answer 348

A

When booting in Safe Mode, Run and RunOnce are ignored by the Windows system.

Answer 349

A

File integrity monitoring program

Answer 350

A

Hex-code for :

Answer 351

A

Hashing algorithms provide INTEGRITY while encryption algorithms can ensure CONFIDENTIALITY

Answer 352

A

Slack space is the space left after a file has been written to a cluster. Slack space may contain remnant data from previous files after the pointer to the files was deleted by a user.

Answer 353

A

Recycle bin or slack space

Answer 354

A

Wildcard- any single character except newline

Answer 355

A

Escape the next character- only used with metacharacters
Example- if you wanted to treat a . as a period and not as a wildcard you’d use .

Answer 356

A

This is how to express a tab in Regex

Answer 357

A

This is how to express a new line in Regex

Answer 358

A

Add ^ as the first character inside a character set
Ex- /[^aeiou]/ matches any one consonant
Ex- /see[^mn]/ would match seek, but not seem or seen

Answer 359

A

Digit, equivalent of [0-9]

Answer 360

A

Word character, equivalent of [a-zA-Z0-9_]

Answer 361

A

Whitespace, equivalent of [\t\n]

Answer 362

A

Exclude digits [^0-9]

Answer 363

A

Exclude word characters [^a-zA-Z0-9_]

Answer 364

A

Exclude whitespace [^\t\n]

Answer 365

A

Perform a DNS brute force attack. This queries a list of IPs and typically bypasses IPS systems that do not alert on DNS queries.

Answer 366

A

The scan is returning a false positive
The critical patch did not remediate the vulnerability

Answer 367

A

The types of information an organization will maintain
The length of time they will maintain it

Answer 368

A

Purposely manipulating service quality to decrease their transfer speeds

Answer 369

A

Analyze the trends of the events while manually reviewing them to see if any indicators match

Answer 370

A

Training and transition

Answer 371

A

A TCP SYN scan, though it substitutes a connect scan if the user does not have proper privileges to send raw packets.

Answer 372

A

access_log

Answer 373

A

Pair programming, as it utilizes two developers working on one workstation, where one developer reviews the code being written in real-time by the other developer.

Answer 374

A

If there are legal or regulatory requirements that require the company to host their security audit data on-premises, then moving to the cloud will not be possible without violating applicable laws. For example, some companies must host their data within their national borders, even if migrating to the cloud.

Answer 375

A

Detection, remediation, testing

Answer 376

A

The attachment is using a double file extension to mask its identity

Answer 377

A

Search the registry for a complete list

Answer 378

A

Chained exploits

Answer 379

A

Instructs Quantifier to use a lazy strategy for making choices, ie match as little as possible before giving control to the next expression part

Answer 380

A

tcpdump -i eth0 host 10.10.1.1
The host option specifies a filter to capture ALL traffic to or from a designated IP address

Answer 381

A

The attacker routed traffic destined for the diontraining.com domain to the localhost

Answer 382

A

Owner, group, other

Answer 383

A

Read = 4
Write = 2
Execute = 1

Answer 384

A

Hex code for @ symbol

Answer 385

A

ESTABLISHED

Answer 386

A

HFS+
Hierarchical File System Plus

Answer 387

A

Domain Keys Identified Mail
Provides a cryptographic authentication mechanism that can replace or supplement SPF. Organization uploads a public key as a TXT record in the DNS server

Answer 388

A

Sender Policy Framework
Uses a DNS record published by an organization hosting an email service. The SPF record identifies the host authorized to send emails from that domain and there must be only one per domain. SPF does not provide a cryptographic authentication mechanism like DKIM does though.

Answer 389

A

Domain Based Massage Authentication, Reporting and Conformance Framework
Can ensure that SPF and DKIM are being utilized effectively. DMARC relies on DKMI for the cryptographic authentication mechanism.

Answer 390

A

Network Access Control
An approach to computer security that attempts to unify endpoint security technology (such as antivirus, host intrusion prevention, and vulnerability assessment), user or system authentication, and network security enforcement.
When a remote workstation connects to the network, NAC will place it in into a segmented portion of the network, scan it for malware and validate its security controls, and then based on the results of those scans either connect it to the company’s networks or place the workstation into a separate quarantined portion of the network for further remediation.

Answer 391

A

Combining the dictionary and brute force methods into a single tool

Answer 392

A

Shows the contents of the NetBIOS name cache and shows a list of name to IP address mappings

Answer 393

A

OSINT searches of support forums and social engineering

Answer 394

A

Creates a group
(abc) would match abcdefg
(abc)+ would match both abc and abcabcabc
(in)?dependent would match independent and dependent

Answer 395

A

Occurs by using a software tool to overwrite the data on a hard drive to destroy all electronic data on a hard disk or other media

Answer 396

A

User and entity behavior analytics to establish baseline behavior

Answer 397

A

Print services, listening for incoming connections

Answer 398

A

IPP- Internet Printing Protocol

Answer 399

A

Printer related

Answer 400

A

Microsoft SQL

Answer 401

A

Oracle database

Answer 402

A

VNC desktop sharing

Answer 403

A

Common alt port for HTTPS

Answer 404

A

Critical or high vulnerabilities

Answer 405

A

The only validation they do is check the version number of an operating system or application against a list of known vulnerabilities. This approach is unable to detect any remediation activities that may have taken place that do not alter the version number.

Answer 406

A

Systems involved in the incident

Answer 407

A

Information about files
Removed or deleted files

Answer 408

A

nmap cannot tell whether the port is open or closed

Answer 409

A

No scanning is required, though you should do it anyway

Answer 410

A

Configuring vulnerability scanner to start a new scan immediately after the prior scan completes

Answer 411

A

Time to resolve critical vulnerabilities

Answer 412

A

A rule that will never trigger because it is placed beneath a broader rule. Example- rule 1 allows any traffic over the internet to ports 80 or 443. Rule 2 is listed below it and is meant to block any traffic to Blocked hosts but since rules trigger in order, it won’t fire.
Rule 1: allow TCP any (source) any (ports) Internet (destination network) 80, 443 (destination ports)
Rule 2: deny TCP any (source) any (ports) Blocked_Hosts (dest) 80, 443 (dest ports)

Answer 413

A

Zero-write the device

Answer 414

A

$home/.bash_history

Answer 415

A

Session hijacking

Answer 416

A

HTTP Banner grabbing using netcat

Answer 417

A

Used for port scanning when a better port scanning tool is unavailable

Answer 418

A

An open redirect vulnerability occurs when an application allows a user to control a redirect or forward to another URL. If the app does not validate untrusted user input, an attacker could supply a URL that redirects an unsuspecting victim from a legitimate domain to an attacker’s phishing site.

Answer 419

A

/var/log/auth.log

Answer 420

A

Turns off pings

Answer 421

A

Set scan timing
-T0 “paranoid”
-T1 “sneaky”

Answer 422

A

An event- anything that is an observable occurrence

Answer 423

A

Malware Information Sharing Platform
An open source threat information platform used to facilitate the collection and sharing of threat information

Answer 424

A

An open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. It is a platform meant for processing and sharing knowledge for cyber threat intelligence purposes.

Answer 425

A

Open source, rule based NIDS/NIPS

Answer 426

A

Action, Protocol, Source IP, Source Port, Direction (unidirectional or bidirectional), Destination IP, Destination Port, Options

Answer 427

A

Alert
Log
Drop
Reject

Answer 428

A

IP, TCP, UDP and ICMP
To specify other protocols you’d do it by port number

Answer 429

A

Quick identifier of the rule that will appear in the console/log. Usually a one liner that summarizes the event.

Answer 430

A

Snort Rule ID
<100- Reserved rules
100-999,999- rules that come with the build
>=1,000,000- rules created by user

Answer 431

A

Each rule can have additional information or reference to explain the purpose of the rule or threat pattern. That could be a common vulnerabilities and exposures ID or external information. Having references for the rules will always help analysts during the alert and incident investigation.

Answer 432

A

Snort rules can be modified and updated for performance and efficiency issues. Rev option help analysts to have the version information of each rule. Therefore it will be easy to understand rule improvements.

Answer 433

A

Payload data. It matches specific payload data by ASCII, hex, or both. It is possible to use this option multiple times in a single rule. However, the more you create specific pattern match features, the more it takes time to investigate a packet.

Answer 434

A

Use the nocase option

Answer 435

A

Use the flags option. Example for SYN:
alert tcp any any <> any any (msg: “FLAG TEST”; flags:S; sid: 1000001; rev:1;)

Answer 436

A

Use the dsize option. Examples:
dsize:100<>300
dsize:>100
dsize:<100

Answer 437

A

/etc/snort/rules/local.rules

Answer 438

A

input validation
least privilege

Answer 439

A

Brute force attack where stolen credentials are tested against multiple websites

Answer 440

A

%2e%2e%2f is the encoding of ../

Answer 441

A

Scan type that analyzes the responses from probes sent to a target
Consumes network bandwidth and processor resources

Answer 442

A

Uses a service account and since it can access privileged areas it is more likely to find vulnerabilities

Answer 443

A

Can use default passwords still. Less likely to find vulnerabilities than credentialed

Answer 444

A

Scanner installed locally. Reduces impact on network, but could be compromised by malware

Answer 445

A

Scan type that analyzes only intercepted network traffic rather than sending probes to a target
Least likely to create impact on network/hosts
Least likely to properly identify vulnerabilities

Answer 446

A

Software Defined Networking
APIs and compatible hardware allowing for programmable network appliances and systems
Create more complex networks due to size, scope, and ability to rapidly change

Answer 447

A

Standard for encapsulating EAP communications over a LAN or WLAN and that provides port-based authentication

Answer 448

A

Null scan
Conducts a scan by sending a packet with the header bit set to zero
Most IDS/IPS will flag this as malicious

Answer 449

A

–scan-delay <time>
Issues probes with significant delays to become stealthier and avoid detection by an IDS or IPS</time>

Answer 450

A

List scan
Lists the IP addresses from a target range and performs a reverse DNS query to discovery any host names associated with them

Answer 451

A

Method of restoring a system that cannot be sanitized using manual removal, reinstallation, and monitoring processes

Pulling out exact, small bits of data, like performing surgery with a scalpel

Answer 452

A

UDP scan
Sends a UDP packet to a target and waits for a response or timeout

Answer 453

A

Christmas Tree Scan
Conducts scan by sending packet with FIN, PSH and URG flags set to one
Lights up IDS “like a Christmas Tree” and is really just a way of seeing if blue team is paying attention

Answer 454

A

Sends unexpected FIN packet
Most IDS/IPS will flag as malicious

Answer 455

A

TCP connect, conducts full three-way handshake
This is the default if you don’t have root or admin privileges

Answer 456

A

Save output to a greppable format

Answer 457

A

Save output to XML file

Answer 458

A

Save output normally

Answer 459

A

Single loss expectancy
Asset Value x Exposure Factor = SLE
50,000 x 0.05 (20% likelihood) = $2500

Answer 460

A

Windows Management Instrumentation Command-Line
Program used to review log files on a remote Windows machine, provide users with a terminal interface, and enables admins to run scripts to manage machines remotely

Answer 461

A

Provides a live view of memory usage per running application or service.

Answer 462

A

A Windows tool to both see real-time data and graph it over time

Answer 463

A

Looks at multiple potentially related binaries that have anti-reverse engineering tools run on them and looks for similarities, helping the tool identify malware families despite the protections that malware authors begin.

Answer 464

A

Threat intelligence is used to provide IP information for rules.

Answer 465

A

Remote execution of code

Answer 466

A

Availability rules or alerts

Answer 467

A

/var/log/auth.log

Answer 468

A

If files in the directory have changed

Answer 469

A

Both /etc/passwd and /etc/shadow

Answer 470

A

Sysinternals tool. GUI based, gives a full view of file system and registry settings and can display either files with permissions that are less restrictive than the parent or any files with permissions that differ from the parent

Answer 471

A

A command line program that can check the rights a user or group has to resources

Answer 472

A

Proactive network segmentation

Answer 473

A

Notification to their acquiring bank

Answer 474

A

Rebuild and patch the system using original installation media and application software using your organization’s build documentation

Answer 475

A

Encrypt the raw file and transfer a hash and key under separate cover

Answer 476

A

Ensuring that information is used only for disclosed purposes

Answer 477

A

This is a difficult method and prone to error.
Better methods include use of asset management tool, running a discovery scan, or using results of other recent scans.

Answer 478

A

Internal and external scanning

Answer 479

A

Highly formalized, rigorous code review process that involves six phases

Answer 480

A

SDLC phase that is designed to ensure that data is properly purged at the end of an application life cycle

Answer 481

A

UAT- User acceptance training

Answer 482

A

DMARC
While SPF and DKIM can help, combining them to limit trusted senders to only a known list and proving that the domain is the domain that is sending the email combine in the form of DMARC to prevent email impersonation when other organizations also DMARC.

Answer 483

A

Plug the system into an isolated switch and use a span port or tap and Wireshark / tcpdump to capture traffic.

Answer 484

A

Router and switch-based MAC address reporting

Answer 485

A

Most powerful mode, it will try all possible character combinations as defined by the settings you enter at the start

Answer 486

A

Copy the virtual disk files and then use a memory capture tool.

Answer 487

A

Designed for secure end-to-end messaging.
Using a distinct messaging tool for incident response can be helpful to ensure that staff separates incident communication from day-to-day operations.

Answer 488

A

A tool used to securely wipe files and drives.
If eraser is not typically installed on your organization’s machines, you should expect that the individual being investigated has engaged in some anti-forensic activities including wiping files that may have been downloaded or used against company policy

Answer 489

A

Control Objectives for Information and Related Technologies. Consists of four domains:
Plan and Organize
Acquire and Implement
Deliver and Support
Monitor and Evaluate

Answer 490

A

ISO 27001

Answer 491

A

Percentage of asset expected to be impacted if the risk materializes

Answer 492

A

7 characters

Answer 493

A

Quarterly or after any significant change in the network

Answer 494

A

Logical segmentation

Answer 495

A

US government standard for information processing, and FIPS 140-2 is used to approve cryptographic modules

Answer 496

A

Used to allow software defined network controllers to push changes to switches and routers, allowing flow control, network traffic partitioning, and testing of applications and configurations.

Answer 497

A

Tools that self-extract when run, making the code harder to reverse engineer

Answer 498

A

Use actual encryption or simply obfuscate the code, making it harder to interpret or read

Answer 499

A

Software that is intended to prevent reverse engineering and often include packing and encryption techniques as well as other protective technologies

Answer 500

A

Domain Generation Algorithm
Creates procedurally generated domain names for malware command and control hosts

Answer 501

A

ASLR and the NX bit

Answer 502

A

file, which shows a file’s format, encoding, what libraries it is linked to, and file type

Answer 503

A

Ophcrack, which uses a rainbow table

Answer 504

A

Logical acquisition

Answer 505

A

certutil
certutil -hashfile [file location] md5

Answer 506

A

A network link or route has been repaired

Answer 507

A

Virtualization lets you run multiple operating systems on a single physical system, whereas containerization lets you run multiple applications on the same system.

Answer 508

A

Single sign on implementations

Answer 509

A

A testing file often used by web developers during the initial configuration of a server.
Best practice is to remove this file before the server is moved into production or made publicly accessible.

Answer 510

A

Stands for no execute, used to mark certain areas of memory as non executable

Brainscape's Knowledge GenomeTM

CySA+ Flashcards

Brainscape's Knowledge Genome^TM