Deck2

Question 1

The process through which data generated in the ongoing use of information systems is collected, processed, analyzed, and disseminated to provide insights into the security status of those systems

Answer 1

Security Intelligence

Question 2

Structured Threat Information eXpression (STIX)

Answer 2

A standard terminology for IoCs and ways of indicating relationships between them that is included as part of the OASIS Cyber Threat Intelligence (CTI) framework STIX is expressed in JavaScript Object Notation (JSON) format that consists of
attribute: value pairs

Question 3

Trusted Automated eXchange of Indicator Information (TAXII)

Answer 3

A protocol for supplying codified information to automate incident detection and
analysis

Question 4

OpenIOC

Answer 4

A framework by Mandiant that uses XML-formatted files for supplying codified information to automate incident detection and analysis

Question 5

Malware Information Sharing Project (MISP)

Answer 5

MISP provides a server platform for cyber threat intelligence sharing, a
proprietary format, supports OpenIOC definitions, and can import and export STIX over TAXII

Question 6

whois

Answer 6

A public listing of all registered domains and their registered administrators

Question 7

Switched Port Analyzer (SPAN)

Answer 7

Allows for the copying of ingress and/or egress communications from one or more switch ports to another

Question 8

Domain Generation Algorithm (DGA)

Answer 8

A method used by malware to evade blacklists by generating domain names for
C&C networks dynamically

Question 9

The principle method used with HTTP and is used to retrieve a resource

Answer 9

GET

Question 10

Used to send data to the server for processing by the requested resource

Answer 10

POST

Question 10

Creates or replaces the requested resource

Answer 10

PUT

Question 11

Used to remove the requested resource

Answer 11

DELET

Question 12

Retrieves the headers for a resource only and ignores the body

Answer 12

HEAD

Question 13

200

Answer 13

Indicates a successful GET or POST request (OK)

Question 13

3xx

Answer 13

Any code in this range indicates that a redirect has occurred by the server

Question 14

4xx

Answer 14

Any code in this range indicates an error in the client request

Question 15

403

Answer 15

Indicates that a request did not have sufficient permissions

Question 16

404

Answer 16

Indicates that a request did not have sufficient permissions

Question 17

5xx

Answer 17

Any code in this range indicates a server-side issue

Question 18

Percent Encoding

Answer 18

A mechanism to encode 8-bit characters that have specific meaning in the context of URLs, also known as URL encoding

Question 19

Firewall logs can provide you with four types of useful security data

Answer 19

Connections that are permitted or denied
Port and protocol usage in the network
Bandwidth utilization with the duration and volume of usage
An audit log of the address translations (NAT/PAT) that occurred

Question 20

Reverse Proxy

Answer 20

A type of proxy server that protects servers from direct contact
with client requests

Question 21

Sysinternals

Answer 21

A suite of tools designed to assist with troubleshooting issues with Windows, and
many of the tools are suited to investigating security issues

Question 22

Manages low-level Windows functions and it is normal to see several of these
running
(as long as they are launched from %SystemRoot%\System32 and have no parent)

Answer 22

Client Server Runtime SubSystem (csrss.exe)

Question 23

Manages drivers and services and should only have a single instance running as a process

Answer 23

WININIT (wininit.exe)

Question 23

Hosts nonboot drivers and background services, this process should only have one instance of services.exe running as a child of wininit.exe, with other service processes showing a child of services.exe or svchost.exe

Answer 23

Services.exe

Question 23

Handles authentication and authorization services for the system, and should have a single instance running as a child of wininit.exe

Answer 23

Local Security Authority SubSystem (lsass.exe)

Question 24

Manages access to the user desktop and should have only one instance for each user session with the Desktop Window Manager (dwm.exe) as a child process in modern versions of Windows

Answer 24

WINLOGON (winlogon.exe)

Question 25

Sets up the shell (typically explorer.exe) and then quits, so you should only see this process briefly after log-on

Answer 25

USERINIT (userinit.exe)

Question 26

This is the typical user shell, launched with the user’s account privileges rather than SYSTEM’s, and is likely to be the parent for all processes started by the logged-on user

Answer 26

Explorer (explorer.exe)

Question 27

DNS record identifying hosts authorized to send mail for the domain with only one being allowed per domain

Answer 27

Sender Policy Framework (SPF)

Question 28

Provides a cryptographic authentication mechanism for mail utilizing a public key published as a DNS record

Answer 28

DomainKeys Identified Mail (DKIM)

Question 29

Domain-Based Message Authentication, Reporting, and Conformance (DMARC)

Answer 29

A framework for ensuring proper application of SPF and DKIM utilizing a policy published as a DNS record DMARC can use either SPF or DKIM or both

Question 30

SMTP Log Analysis

Answer 30

SMTP logs are typically formatted in request/response fashion o Time of request/response o Address of recipient o Size of message o Status code

Question 30

Secure/Multipurpose Internet Mail Extensions (S/MIME)

Answer 30

An email encryption standard that adds digital signatures and public key cryptography to traditional MIME communications

Question 31

File Transfer Protocol

Answer 31

21 (FTP)

Question 32

Secure Shell/FTP over SSH

Answer 32

22 (SSH/SFTP)

Question 33

Telnet – an unsecure remote administration interface

Answer 33

23 (TELNET)

Question 34

Simple Mail Transfer Protocol

Answer 34

25 (SMTP)

Question 35

Domain Name System uses TCP for zone transfers

Answer 35

53 (DNS)

Question 36

Post Office Protocol is a legacy mailbox access protocol

Answer 36

110 (POP3)

Question 37

NetBIOS Session Service supports Windows File Sharing with pre-Windows 2000 version hosts

Answer 37

139 (NETBIOS-SSN)

Question 38

Internet Mail Access Protocol

Answer 38

143 (IMAP)

Question 39

Server Message Block

Answer 39

445

Question 40

Post Office Protocol Secure

Answer 40

995 (POP3S)

Question 41

MySQL database connection

Answer 41

3306 (MySQL)

Question 42

Remote Desktop Protocol

Answer 42

3389 (RDP)

Question 43

Domain Name System uses UDP for DNS queries

Answer 43

53 (DNS)

Question 44

Trivial File Transfer Protocol

Answer 44

69 (TFTP)

Question 44

Dynamic Host Configuration Protocol (DHCP)

Answer 44

67/68

Question 45

Network Time Protocol

Answer 45

123

Question 46

NetBIOS

Answer 46

137/138/139

Question 47

Server port for a syslog daemon

Answer 47

514 (SYSLOG)

Question 48

A software development model that focuses on iterative and incremental development to account for evolving requirements and expectations

Answer 48

Agile Method

Question 49

A software development model where the phases of the SDLC cascade so that each phase will start only when all tasks identified in the previous phase are complete

Answer 49

Waterfall Method