cysa Flashcards

Question 1

Q

Port 20/21

Question 2

Q

Port 22

Question 3

Q

Port 23

Question 4

Q

Port 25

Question 5

Q

Port 53

Answer

A

DNS (UDP AND TCP)

Question 6

Q

Port 67/68

Question 7

Q

Port 69

Answer

A

TFTP (UDP)

Question 8

Q

Port 80

Question 9

Q

Port 110

Answer

A

POP3 (mail receiving protocol)

Question 10

Q

Port 111

Answer

A

RPCBind (Linux)

Question 11

Q

Port 123

Question 12

Q

Port 135

Question 13

Q

Port 137

Answer

A

Netbios nameservicing

Question 14

Q

Port 138

Answer

A

Netbios Datagram

Question 15

Q

Port 139

Answer

A

Netbios SNN

Question 16

Q

Port 143

Answer

A

Imap4 (email server protocol)

Question 17

Q

Port 161/162

Question 18

Q

Port 389

Question 19

Q

Port 443

Question 20

Q

Port 445

Answer

A

Windows file sharing (SMB and MDS AD)

Question 21

Q

Port 500

Answer

A

ISAK (TCP rules for the internet)

Question 22

Q

Port 514 UDP

Answer

A

Syslog mostly for linux

Question 23

Q

Port 515

Answer

A

Printing LPD

Question 24

Q

Port 520

Answer

A

RIP (routing protocol like ospf but uses less memory)

Question 25

Q

Port 631

Answer

A

Printing (always TCP for print service ports)

Question 26

Q

Port 636

Question 27

Q

Port 993

Question 28

Q

Port 995

Question 29

Q

Port 1433

Question 30

Q

Port 1434

Answer

A

SQL (UDP)

Question 31

Q

Port 1521

Question 32

Q

Port 1720

Answer

A

H.323 (VoIP and telephony)

Question 33

Q

Port 1723 and 1194

Answer

A

PPTP and openVPN (both vpn protocols) PPTP no longer considered very secure

Question 34

Q

Port 3306

Question 35

Q

Port 3389

Question 36

Q

Port 4500

Question 37

Q

Port 5900

Question 38

Q

NMAP -sS

Answer

A

(TCP SYN Scan):
This flag initiates a TCP SYN scan, also known as a half-open scan. It sends SYN packets to target ports and analyzes the response to determine whether the port is open, closed, or filtered. Slightly faster than -sT.

Question 39

Q

Nmap -sT

Answer

A

(TCP Connect Scan):
The TCP Connect Scan is a full (open) three-way handshake scan. It connects to the target port and waits for a response to determine if the port is open.

Question 40

Q

nmap -sU

Answer

A

(UDP Scan):
This flag performs a UDP scan, which is used to identify open UDP ports. UDP scans are generally slower and more challenging than TCP scans due to the stateless nature of UDP.

Question 41

Q

nmap -O, -sV, -A

Answer

A

-O is OS detection

-sV is (Version Detection):
This flag attempts to determine the version and service information of open ports by comparing responses to known service fingerprints. It can help identify vulnerable software versions.

the -A flag combines these two

Question 42

Q

nmap –script

Answer

A

(Scripting Engine):
The –script flag allows you to run Nmap scripts against the target. These scripts can perform various tasks, such as vulnerability scanning, service discovery, and more. For example, you might use –script vuln to run vulnerability scripts.

Question 43

Q

nmap oN, -oX, -oG

Answer

A

(Output Formats):
These flags allow you to specify different output formats for Nmap results. -oN saves results to a normal text file, -oX saves results in XML format, and -oG generates a grepable output format.

Question 44

Q

nmap -p

Answer

A

(Port Specification):
Use the -p flag to specify which ports you want to scan. You can define a single port, a range of ports, or even use a comma-separated list of ports.

Question 45

Q

nmap -T

Answer

A

(Timing Template):
The -T flag controls the timing template for the scan. Options range from 0 (paranoid) to 5 (insane). Faster timing templates can increase the speed of the scan but might be more likely to trigger intrusion detection systems.

Question 46

Q

nmap -v -vv

Answer

A

(Verbose Output):
The -v flag provides verbose output, displaying additional information about the scan process. -vv increases the level of verbosity.

Question 47

Q

nmap -Pn

Answer

A

(No Ping):
Use the -Pn flag to skip the host discovery phase and assume that the target host is online. This is useful when you want to scan hosts that might not respond to ping requests.

Question 48

Q

What is banner grabbing, and what are the common services and protocols used for it?

Answer

A

Banner Grabbing is the term used to refer to the technique of grabbing information of a system available on a certain network and all the services running on its open ports. The Administrator can use this technique totally or take inventory of the system and its services on their available network. Banner hacking is often applicable for performing white hat hacking endeavors as well as for grey hacking. (HTTP, FTP, and SMTP)

Telnet, Wget, cURL, Nmap, NetCat, ASR

Question 49

Q

Describe the CVSS Parameters and what they mean

CVSS:3.0/AV:/AC:/PR:/UI:/S:/C:/I:/A:

Answer

A

Attack Vector
Attack Complexity
Privilege Required
User Interaction
Scope
Confidentiality
Integrity
Availablity

Scores:
0.1-3.9 Low
4.0-6.9 Medium
7.0-8.9 High
9.0-10 Critical

Question 50

Q

What is Pof v3?

Answer

A

It is a passive scanning tool that looks at tcp traffic. Can identify OS quickly, measure system uptime, automate detection of connection sharing, and detect clients and servers that make declaritive statements. Zeek is another similar tool.

Question 51

Q

What is footprinting?

Answer

A

Discovering the layout of the network. Subnets, routing, protocols, etc. Can be an IoC

Question 52

Q

What is fingerprinting?

Answer

A

Discovering what specifically is running on a host. Open ports, OS, apps. Can be an IoC

Question 53

Q

nmap -sn

Answer

A

No port scanning, essentially a ping sweep

Question 54

Q

nmap -D (or -sI)

Answer

A

Decoy or zombie (idle) scans. Stealth scan where a decoy appears to do scan in order to hide source identity. A way to bypass threat prevention/detection.

Question 55

Q

nmap -S

Answer

A

Spoof address to bypass firewall

Question 56

Q

nmap -f

Answer

A

fragment packets to bypass firewall. Can be used for DDoS. Not as frequently used.

Question 57

Q

Nmap port states

Answer

A

Open
Closed
Filtered (port cant be probed, usually fw)
Unfiltered (uncertain, but reachable)
Open| Filtered (UDP scans)
Closed | Filtered (decoy scans)

Also, NMAP uses CPE (for exam)

Question 58

Q

What is hping and its common flags?

Answer

A

Hping is a TCP/IP packet assembler and analyzer. It receives IP data, de-packets that data, and moves it to the linked device in the reverse order. It works on systems such as Linus, Solaris, macOS, and Windows.

-Transmit. You will send an Internet Control Message Protocol (ICMP) echo request.
-Wait. The target for your ping should return your message.
-Analyze. You’ll get a great deal of data, including information about how many bytes were sent, how many arrived, and how long the trip took.
-Repeat. You’ll go through this process a few times, just to ensure the connection remains consistent.

-c (Count):
This flag specifies the number of packets to send before stopping. For example, -c 5 will send 5 packets and then stop.

-S (TCP SYN scan):
This flag initiates a TCP SYN scan, similar to the -sS flag in Nmap. It sends TCP SYN packets to target ports to determine if they are open.

-P (ICMP Echo Request):
The -P flag sends ICMP Echo Request packets to the target. It’s used for basic connectivity testing, similar to the ping command.

-p (Specify Port):
Use this flag to specify the port number to target. For example, -p 80 will target port 80.

-i (Interface):
If you have multiple network interfaces, you can use this flag to specify which interface to use for sending packets.

–traceroute (Traceroute Mode):
This flag enables traceroute mode, where hping sends packets with increasing Time to Live (TTL) values to identify the route taken to reach the target.

-s (Source IP):
You can set the source IP address using this flag. This can be useful for spoofing the source IP for testing purposes.

-a (Set Acknowledgment Number):
This flag allows you to set a specific acknowledgment number in TCP packets. This can be useful for certain types of testing and analysis.

Question 59

Q

What is Responder and what is it used for?

Answer

A

MiTM tool, used to detect LLMNR attacks (ex, DNS failure)

Used for poisoning LLMNR, NBT-NS, and MDNS

Question 60

Q

What are the 3 NIST categories for controls? 800-53

Answer

A

Technical Or Logical: WAFs, IDS, IPS, DB firewall (technical), Authorization, authentication (logical)
Operational Controls: Also known as administrative controls. Training, Sec guards, people. Act of emergency/disaster planning is operational control.
Management: High level overview of sec systems. IE legislation, documentation, or info that helps decide controls. The act of planning, is a management control.

Question 61

Q

What are the 6 security control goals?

Answer

A

Preventative. IE Firewalls
Detective. Provide notification and alerting during attack.
Corrective. After the attack, actions on restoring operations. Patching.
Physical controls
Deterrent. Discourages attacks (warning signs, sec guards, etc)
Compensating. (substitution)

Question 62

Q

What are the methods for evaluating security controls?

Answer

A

Quality control
Verification (does it work)
Validation (does it do the intended job)
Assessments
Evaluation

Question 63

Q

Port 49

Answer

A

TACACS+ (router/nas authentication)

Question 64

Q

Port 88

Answer 44

A

L2TP (layer 2 tunneling for VPNs)

Answer 45

A

Proactive, and it is very time consuming and resource intensive.

Examples of tool is SIEMs

Answer 46

A

Downtime, Degraded functionality, increased attack surface, Reactive changes (as opposed to planned), rollback steps, testing/sandbox steps

Answer 47

A

Difficult to implement, and only works if perfectly implemented. You can only advance to subsequent steps once the current step is FULLY completed. Major code changes will be very difficult to implement

Answer 48

A

More of a “way of life”. Teamwork, flexible, realistic, big picture focused. Not great for complexity or when goals need perfect clarity. It is welcome to change. Sprints.

Answer 49

A

Good for projects that need well defined requirements. More flexible with functionality added at a later date. Progress is easily measured. However needs more resources and not great for small projects.

Answer 50

A

Good for rapidly changing requirements. Smaller iterations, smaller risk. However harder to manage an there are a lot of phases. No linear path.

Answer 51

A

The non financial value of data or IT assets. The equation is TAV = AV * Weight of asset (CIA very important here)

Answer 52

A

1 (lowest) to 5 (highest)

Typically only 3 and above require remediation

Answer 53

A

Service Level Agreement - contract that determines acceptable uptime/performance

Memorandum of Understanding
Similar to SLA, often a contract between company and outside vendor that does scanning

Disaster recovery plan - Self explanatory, but not needed for scanning agreements

Business Impact Assessments - Also not necessary for scanning agreements. Formalized methods for allowing companies to do their risk assessments (qualitative and quantitative)

Answer 54

A

Locking (or locking mechanisms)

Race conditions are bugs that can be exploited when two processes attempt to access the same resource at the same time. One of them will usually try to change the resource.

Dirty Cow is a common vuln.

These also are fixes for TOU/TOC issues

Answer 55

A

Using bad functions or code (such as the strcpy which does not do bounds checking), more data is placed into the buffer than the buffer can handle. Bounds checking, ASLR, DEP, and stack canary prevent this.

Stack based. When a user-supplied buffer is stored on the stack section of memory. (function and variable data)

Heap-based. When a user supplied buffer is stored on the heap data area of memory. (Non variable files loaded in memory) if exam asks about mallac function, this is heap.

Integer based (self explanatory).

printf , sprintf , strcat , strcpy , and gets

Answer 56

A

(US) National Institute of Standards and Technology

Provides recommendations and standards for cybersecurity. Provides tool recommendations as well.

Answer 57

A

Static is manual or automated method of feeding code through human analysis

Formal method- machine led form of code review. Takes longer and more resources needed.

Answer 58

A

User acceptance testing of beta code

Answer 59

A

Occurs every time a new feature is updated or introduced. Sometimes old bugs/issues can be reintroduced, so this prevents that.

Answer 60

A

Deconstruct compiled code into original source code. Not always possible. IDA is an example tool for decompiling.

Answer 61

A

Reviewing compiled code. Running through debugger, load testing, etc.

Answer 62

A

Using various alternate inputs for an application, that differs from what is requested. Including alternate file formats.

Answer 63

A

The attempt to access other files on the same machine as the web app.

Answer 64

A

Cross site scripting targets a users browser and tricks the browser into executing arbitrary code when visiting a URL. Sanitizing inputs, IDS/IPS, and WAFs can prevent this.

The script can then be executed by other users accessing the URL causing further compromise (Shared/Reflected XSS)

Stored cross site scripting happens when the code is embedded in a button/action on the web page for future site visitors.

Answer 65

A

Sanitize inputs, and always do this on the server side.

Use prepared SQL statements. This is a feature used to execute the same SQL statements repeatedly.

Answer 66

A

Code that references variables/objects in cleartext and allows for manipulation with tools like proxies. (owasp zap for example)

Answer 67

A

XML Bomb- Message composed and sent with the intent of overloading an XML parser. It is a form of DDoS. Analyze files before parsing them to avoid this.

Answer 68

A

Taking over a user’s web session. Usually done by MiTM (sniffing), but can also happen over a compromised web session. Predictable session IDs can lead to it as well.

Answer 69

A

Web attack where an attacker is able to modify the cookie contents. Code injection can happen. Can be prevented by input validation, encryption, and cookie expiration.

Answer 70

A

Cross-site forgery request

After authenticating to a legit website, and then going to a phishing/malicious site, there can be XSS that points to the original legit website and uses the authenticated session to complete malicious activities.

Answer 71

A

If it is a stateful app, use CSRF tokens.

If it is a stateless app, double submit cookies

Domain origin referrer/header

Captcha

SameSite cookie attribute (Browser setting that decides to send XS cookies)

Answer 72

A

A fake form is overlayed on a real website via hidden HTML inline frames and alternate code is executed.

Frame busting (forcing original code to top of page) prevents extra frame overlays

X-Frame-Options (frame setting) can prevent

Answer 73

A

Type of password cracking where multiple passwords/usernames are guessed. They can take a lot of time and are usually detectible.

Medusa, Hydra, John The Ripper, hashcat (used for cracking hashes)

Answer 74

A

When 2 inputs generate same hash.

Answer 75

A

Files with pre-computed hashes. They are huge files/tables. Using long passwords can help, but does not necessarily resolve. Password salting is the best way around it.

rtgen is an example of rainbow table generator

Answer 76

A

Finding and applying a single common password, and applying it to multiple user names/logins. Also called password spraying.

A variation of this is credential stuffing where the same username/pw combo is tried on multiple services. Sometimes with credential stuffing, the credentials used have been compromised. Either from a website unrelated to the current attack, or the dark web.

Answer 77

A

Gaining unauthorized access to any system. Starting as a normal user and elevating privileges to do something malicious. Ex: being able to sudo when they shouldn’t.

Can be prevented with MFA, patching, input validation, changing default pw.

Answer 78

A

Capturing the hash of a pw and using the hash to authenticate. Older versions of windows (LM Hashes), newer versions with backwards-compatible windows. Old kerberos.

LM hashes pre-date NTLM and SHOULD NOT be stored.

Answer 79

A

Used in MiTM, an attacker sends false/manufactured ARP traffic to further intercept and manipulate network traffic.

Can be mitigated with DAI (on the switch), and DHCP snooping (also on the switch)

Answer 80

A

Kernel level malware, attempted to replace or infect OS files. EX, cmd.exe, notepad.exe, DLLs, drivers and even Linux OS system files. Root or Admin access is required for this attack, but rootkit can often elevate itself to root/admin.

AV can prevent rootkits. FIM (from AV or another tool) can prevent this.

Examples of FIMs are: tripwire (linux), Solarwinds, File Sight

Answer 81

A

Detecting that a botnet is sending traffic to a host
DRDoS/amplification symptoms, where the request is much smaller than the reply. So thousands are sent without using much source resources. The source is often spoofed.
Slashdotting where a link to a website is posted and generates synthetic traffic to that site

Answer 82

A

Also looking for botnet type of behavior. Look for heartbeat traffic, and small footprint (maybe just a lot of SYNs)
Changing IPs and Domains
Protocols like IRC, HTTP(S), DNS
Increased traffic to/from Cloud or social media sites

Answer 83

A

Most of this traffic is already a red flag.
ARP spoofing/extra traffic
Hidden SMP or IPP

Answer 84

A

Human eyes
Network mapping
Wireless monitoring
Traffic Sniffing
NAC
IP Address management

Answer 85

A

HTTP(s) channel with public storage services
Web app attacks
DNS as a channel
Email
-Encrypted tunnels, IPsec, TLS

Answer 86

A

Outbound traffic is seldom filtered, but it will be in a covert channel
Filtered by encoding, fragmentation, encryption, steganography
-Tools like openstego to hide malicious content in images

Answer 87

A

nbtstat is a command-line tool in Windows operating systems that is used to troubleshoot NetBIOS name resolution issues and gather NetBIOS-related information. NetBIOS (Network Basic Input/Output System) is an older networking protocol that allows applications on different computers to communicate within a local network.

Answer 88

A

-a, -A - Adapter status
-c Cache
-n Names
-r resolved addresses

Answer 89

A

Linux - Top, ps, htop

Windows - Task Manager, proc explorer

MacOs - activity monitor

Answer 90

A

-Unauthorized logins
-Failed logins
-New User accounts
-Guest account activity
-Privilege usage outside working hours
-Security policy changes

Answer 91

A

w - who is logged in currently
lastlog - shows last log in for every user account

auth.log shows last user creation commands, and faillog will show failed logins.

Answer 92

A

Virtualization attack where a malicious entity is able to gain acces and exploit a hypervisor from one of the VMs.

Answer 93

A

Air Gap- Isolating hosts/network segments from the rest of the network either physically, or using devices like data diodes. Military, power plants, etc. Also protecting CA or key stores.

Layer 2 - Vlans, private vlans, port sec

Layer 3 - Subnets, traffic policies, ACLs

DMZ - place for publicly facing servers on the network

Jumpbox

Answer 94

A

Stateless Firewall:

A stateless firewall, also known as a packet filtering firewall, operates at the (Layer 3) and examines individual packets without considering their relationship to previous or subsequent packets. It makes decisions based on static rules. Stateless firewalls evaluate the header information of each packet, such as source and destination IP addresses, source and destination port numbers, and protocol type. They don’t maintain any knowledge about the state of connections or sessions.

Advantages:

Simple/efficient for filtering based on basic criteria like source and destination addresses.Lower resource requirements because they don’t track connection states.

Limitations:

Limited in their ability to handle complex traffic, such as allowing responses to outbound requests.
Vulnerable to IP spoofing and certain types of attacks that rely on exploiting stateless nature. No longer deployed IRL

Answer 95

A

HW: Lan switch, TAP
SW: Tcpdump, Wireshark

If unfiltered this will capture EVERYTHING which is good and bad (even files)

Answer 96

A

A tool that takes a packet capture and attempts to make sense of it and can extract files transmitted with the capture.

Examples are: Network Miner, Suricata, Zeek (Bro)

Answer 97

A

A flow is a summary of stream/network traffic. Full packet capture is costly and resource intensive. A flow will provide enough information most of the time. The sample size (or amount of packets inspected) can be customized.

No dedicated hq required. Unified view among vendors. Great for reporting.

Cons:

-No payload visibility. Malware often undetected.
-Aggregation app is required. This is often a SIEM.
-Mostly sampled.

Answer 98

A

Solarwinds NetFlow traffic analyzer
ManageEngine netflow analyzer
Cisco secure network analytics (Stealthwatch)
-SILK - system for internet level knowledge
-Argus

Answer 99

A

Multi router traffic grapher. Uses SNMP to gather router level information. (OS and hardware)

Answer 100

A

Red Team - Attacking Team
Blue Team - Incident Responders

White team- The people that control the game and make sure it is running smoothly
Purple/Orange Team - Ensure communication between red and blue
Green - mediator between blue team and yellow (app dev)

Answer 101

A

Honeypot that alerts when certain services are used.

Answer 102

A

Decoy, honeynet, honeypot

Annoyance tactics (degraded performance)

Counterattack

Answer 103

A

SELinux, apparmor, among others

Answer 104

A

Stateful Firewall:

Also known as a dynamic packet filtering firewall, operates at higher layers of the OSI model (usually Layers 3 and 4) and maintains a state table that tracks the state of active connections. It monitors the state of network connections, including the source and destination IP addresses, port numbers, and connection status (such as established, related, or new). Stateful firewalls make decisions based on the context of the traffic and its relation to previously allowed or initiated connections.

Advantages:

Can make more informed decisions by understanding the context of connections.
Better suited for handling dynamic and complex traffic scenarios.
Provides enhanced security by preventing unauthorized traffic from exploiting allowed connections.
Limitations:

Requires more memory and processing power to maintain state tables.May introduce some performance overhead due to connection tracking.

Answer 105

A

Considered by some to be a another type of firewall. Unified Threat Management is combining Stateful firewalls with other technology.

Examples: IPS, AV, URL Filtering, AntiSpam, DLP

Answer 106

A

Additional functionality that functions as MiTM for a firewall. Terminates connection at firewall and then initiates new connection to traffic destination. Allows FW to inspect and sanitize connection

Answer 107

A

Next generation firewall combine stateful firewalls with app level security.

Answer 108

A

The process of filtering bogons, or fake/bogus IPs, from a network.

Answer 109

A

Any traffic not explicitly allowed via an ACL, is not allowed.

Answer 110

A

Domain-Generation Algorithm, often creating one-time domains for attackers. Malware coms take place over these randomly generated domain names (in a C2). They rapidly change.

Mitigation:

Patterns can sometimes be identified, and also sometimes the names are obviously bogus.

Might not be precise, or in sync.

Blacklisting domains with bad reputation. Or whitelisting (difficult for many reasons) Cisco developed a free list called the cisco umbrella

Answer 111

A

IPvoid

Talos

baderj’s list on github a good one to check for ideas on what bad domain names look like

Answer 112

A

Extra domain names, especially URL redirects
Resolve % encoding
Assembling any scripts embedded in the URL and checking their code
Reputation check
DNS TTL

Looks for the following http methods: GET, PUT, POST, HEAD, DELETE

Answer 113

A

2xx: something was successful (200 post, 201 put)

3xx: redirects

4xx: Client side errors

5xx: Server errors

Answer 114

A

URL obfuscation

Script embed

Decoding exploits

Recursive exploits

Answer 115

A

Port based NAC

The supplicant (person/entity attempting access) attempts to access something and the authenticator (network access device) asks the authentication server (RADIUS) if the traffic is allowed. EAPoL is the term for allowed traffic.

Answer 116

A

Health/posture check of device

OS checking especially for missing updates

Group membership

AV updates and scans

Location check

Time of Day access

Answer 117

A

Discretionary access control, creator of the resource is the initial owner and can grant access to others. NTFS permissions act like this.

Mandatory access control - clearance levels and labels are used. Users can access objects at their clearance level and below. Military, SELinux, Apparmor, govt

Role Based Access Control, evolution of DAC. Roles and groups are assigned privileges. Only admins/system can change access. Subsection of this is ABAC or attribute based.

Answer 118

A

The database for IAM. Manages AAA. They can be queried, like from RADIUS and TACACS.

Examples are WIndows AD, Openldap, apache DS, open DS, redhad directory

Can be federated through SSO or Service Provider

Answer 119

A

Nikto, arachni, burpsuite, zap (OWASP tool)

Can be used to inspect and manipulate data in transit from websites and web apps

Answer 120

A

Subject Alternative Name

Used when other domains are closely related to the parent, or if the website is hosted on multiple IPs. Also used for subdomain email addresses and things like that.

Answer 121

A

This is a coverall that covers all subdomains under a parent domain name. Example *.microsoft.com

Answer 122

A

CRL - certificate revocation list

OCSP - (Preferred method) online certificate status protocol using serial #

Answer 123

A

TLS 1.2 and up are OK
everything under including all SSL versions are unsafe

Answer 124

A

-Display from (look for difference between this and the email domain)

-Envelope from or return-path (return address) and might include IP

-Received by, delivered to, date/time

-Return-path authentication-results

Answer 125

A

Sender policy framework entry published in DNS txt record, a list of hosts that belong to the company and are authorized to send email on its behalf.

Clients can do SPF checking to look up the SPF record and validate if email actually came from the domain.

Can also specify what happens when emails from non-approved list are received. IE Reject, flag, accept

Answer 126

A

Domain Keys Identified Mail- this can replace or augment SPF. Uses cryptography to digitally sign emails with the private key of the sending server.

Answer 127

A

Domain Based Message Authentication, Reporting, and comformance.

These rules are what defines a policy for using DKIM, SPF, or both. Defined as a DNS record. Tells receiver what is being used, how to validate, what to do in failure (failure doesn’t always mean malicious).

Answer 128

A

Secure multipurpose internet mail extensions

This ensures email confidentiality by signing and encrypting emails with a secure certificate.

Generates key pairs just like public/private key authentication. Private key is kept secret and pub key is shared.

Format is as follows- a blank email is received with an smime attachment. Using the provided keys, the hash can be decrypted and validated before any content is shown.

Answer 129

A

HIPS/HIDS- one example is File integrity/Monitoring tools (tripwire)

EPP (all inclusive) - use signature detection

EDR - kind of like EPP but use machine learning (cisco amp/cisco secure endpoint)

UEBA - User entity and behavior analysis. Feeds user activity into a machine learning model to track anomalous behavior. Splunk user behavior analytics, ATA (microsoft) are examples.

Answer 130

A

Should see only one single idle (pid 0) and one system pid (pid 4) Any other processes belong to smss.exe.

One single instance of wininit.exe, responsible for drivers and services.

One instance of services.exe, and all other services should be a child process of services.exe or svchost.exe (which is a wrapper and may show up multiple times)

Systems should be launched by SYSTEM, LOCAL SERVICE, or NETWORK SERVICE

One lsass.exe

One winlogon.exe

userinit.exe should not persist. Look for long sessions of this.

Explorer.exe

sysinternals from microsoft is a good tool. Procmon is included. Autoruns is included.

Answer 131

A

Trusted Platform Module chip that contains a cryptographic processor and storage. Used to attest that the particular hw is secure enough to connect to a particular network. They are tamper proof, and not clonable. Has a self destructive (software) feature.

Answer 132

A

Like a TPM, but they are removable usually pci cards or appliances, to secure enterprise hardware.

Thalos

Answer 133

A

SGE (or SGX) - Intel
TXT - Intel
SME AMD

Answer 134

A

Blackhole - IE dropping, null file/interface, or using software

Sinkhole- not dropping all traffic, but keeping some for analysis. Redirecting, storing, and analyzing. (sometimes in a honeypot).

More specific exam topic: DNS Sinkholing is a mechanism aimed at protecting users by intercepting DNS request attempting to connect to known malicious or unwanted domains and returning a false, or rather controlled IP address

Answer 135

A

Embedded OS, computers designed for a single function. An embedded system (SoC) is a common theme for these devices (raspberry pi). RToS - Real time operating systems are another example. Even small time delays on these are devastating.

Answer 136

A

Controller Area Network Bus are on Automobiles

Answer 137

A

SCADA-

Sometimes are secured with air gaps. Often legacy hardware and software. Continuous monitoring of all links and connections to the scada is important.

Physical security is important.

Answer 138

A

Old protocol for ICSes also used to update configurations on PLCs. A Programmable Logic Controller, or PLC, is a ruggedized computer used for industrial automation.

Stuxnet is a known malicious worm that has occurred.

Answer 139

A

Event correlation
Config changes
Gaps in time
Trend analysis (IE amount of “normal” log generation)

Answer 140

A

TCP Syslog, with added security

Answer 141

A

Open source Tech/engine that logs IDS events. It is now embedded in many IPS devices as well.

Answer 142

A

Arcsight (used to help with compliance)
Splunk
Elasticstack/ELK stack (elasticsearch, logstash, kibana, Beats)
AlienVault
graylog
IBM qradar

Answer 143

A

When event started
Who was involved
What happened
Origination/Destination of the event

Standardizing the log/format of data is important

Answer 144

A

Virustotal (add more sites as they are learned)

Answer 145

A

Structured Threat Information eXpression is an xml language created by DHS. Current version is STIX 2 anddefines 12 domain objects. Attack patterns, identities, malware, threat actors, and tools. Currently managed by OASIS.

TAXII is the protocol in which STIX information is shared (over HTTPS)

OpenIOC is an alternative to STIX that is also XML and has its own IOC. Owned by mandiant.

Answer 146

A

The process of wiping a hard drive using magnets. Does not guarantee all data will be erased and can damage HDD.

Answer 147

A

Remote Access Trojan, a type of fileless malware with executable code.

Used to maintain access for future access (RAT Dropper). Might have a keylogger.

Answer 148

A

Malware that injects into legitimate code.

Shell code, masquerading as something else, DLL replace, hijacking, process hollowing are all potential vectors.

Answer 149

A

Virtualization
Servers
Storage
Networking

Answer 150

A

Runtime
Middleware
OS
Virtualization
Servers
Storage
Networking

-Google App Engine
-Managed Microsoft SQL or Oracle

Answer 151

A

Application
Data
Runtime
Middleware
OS
Virtualization
Servers
Storage
Networking

Answer 152

A

ScouteSuite - Python script that uses cloud API and collects data and reports findings.

Prowler - AWS only, evaluates security posture by using CIS benchmark

Pacu- Exploitation framework and assessment tool. Used by pen testers as well. AWS only.

Clousploit - scans private cloud infrastructure accounts. (works for all big cloud providers)

Answer 153

A

More difficult due to lack of access to hardware and data storage. Virtual resources are volatile. Chain of custody is difficult.

Make sure any forensics are agreed upon in SLA or CSP agreement.

Answer 154

A

Cloud access security brokers (CASBs) are on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed.

Examples Netskope, mcafee mvision, PA, Cisco, proofpoint and many more. (Don’t need to memorize)

Answer 155

A

Function as a service. All of the cloud infrastructure is black box. Very similar to PaaS. Just the code for the function needs to be provided. Serverless computing.

Answer 156

A

Service Oriented Architecture. (Virtualization)

Microservices are similar. Very focused on doing one business task/application efficiently. Microservices need to be able to communicate with each other.

SOAP- simple object access protocol via XML allows this transmission of data.

Answer 157

A

Rest APIs, based on HTTP(s)

Must have: Uniformity, Decoupling, stateless, cache

Answer 158

A

Continuous Integration, continuous delivery. (app development) Meshes with AGILE sldc

Answer 159

A

Infrastructure as code. Helps avoid mistakes and typos in repetitive tasks. Fights against configuration drift.

Answer 160

A

PCI-DSS - Credit card processing

FISMA - Requires federal agencies to have info sec programs. Incidents must be reported to the CERT/CC
HIPAA - Health information
COSO - Financial Fraud reporting
GLBA- Governs how financial institutions govern customer records
SOX - IT regulations for publicly traded companies
GDPR - Euro data protection regulation
FERPA - Educational institutions

Answer 161

A

Specific actions, based on maturity

NIST

Answer 162

A

Backed by regulations/compliance reqs

-COBIT - is an IT governance framework for businesses wanting to implement, monitor and improve IT management best practices.
-ITIL framework designed to standardize the selection, planning, delivery, maintenance and overall lifecycle of IT services within a business.
-ISO a combination of various standards for organizations to use. ISO 27001 provides a framework to help organizations, of any size or any industry, to protect their information in a systematic and cost-effective way, through the adoption of an Information Security Management System (ISMS).
-PCI DSS

Answer 163

A

Acceptable use

Privacy

Backup Policy

Code of conduct

Ownership

Job-related security (separation of duties, job rotation, mandatory vacation, dual control, least privilege)

Answer 164

A

Risk = impact * probability

SLE (single loss expectancy) = asset value * exposure factor

Annual loss expectancy = SLE * annual rate of occurrence

Answer 165

A

Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned

Answer 166

A

Observe - Orient- Decide - Act

Answer 167

A

Brute Force software intended for WPS vulnerability. Recovers WPA/WPA2 data.

Another similar tool is aircrack-ng which can conduct packet injection attacks and crack keys.

Answer 168

A

Cybersecurity Incidence Response Team. Responsible for coordinating the IR phases and communication.

Answer 169

A

Open-Source Intelligence (OSINT) is defined as intelligence produced by collecting, evaluating and analyzing publicly available information with the purpose of answering a specific intelligence question

Answer 170

A

The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation dedicated to improving software security.

ZAP is a tool to intercept and look for web app vulnerabilities

Answer 171

A

The Security Content Automation Protocol is a method for using specific standards to enable automated vulnerability management
It can be used in an automated fashion for setting and auditing (current state, deviations from baselines, and so forth) as well.

Security orchestration automated response is more aligned with threat & vulnerability management and incident response. But there is some automation of controls there too.

Basically SCAP is administrative and SOAR is operational.

Brainscape's Knowledge GenomeTM

cysa Flashcards

Brainscape's Knowledge Genome^TM