Domain 2.4 Given a scenario, analyze and interpret output from security technologies. Flashcards

1
Q

HIDS/HIPS

A

installed on one host and only protects that single host

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

File integrity Verifier

A

file integrity products are configured to check to see if certain files have been changed and to record such activity. (ie. Tripwire)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Application Whitelist

A

A list of applications explicitly allowed to be installed or used on a computer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Application Blacklist

A

Software specifically not allowed to be used.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Removable media control

A

a Group Policy that now removable media (CD, USB, Floppy) can be used.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Patch Management Tool for microsoft

A

WSUS, Windows Server Update Service. pushes patches to your network hosts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Single point of failure (SPOF)

A

if a single item fails your entire network goes down.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Data Loss Prevention (DLP)

A

Software attempts to detect exfiltration of data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Microsofts version of Data execution prevention (DEP)

A

For Microsoft, this is called UAC (User Account Control.) requires admin credentials in order to run a program. for instance if something is not on the whitelist it may need excalated priviledges to install.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Web Application Firewall (WAF)

A

A WAF is the best mitigation for an SQL injection or a XSS Attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Look at the following output from a file integrity application and determine when the system was compromised?

/etc/password

  1. 1/1/2018-14:30-e0d123e5f316bef78bfdf5a008837577
  2. 1/1/2018-14:45-e0d123e5f316bef78bfdf5a00883757
  3. 1/1/2018-15:00-d86c4246f3c0eb516628bf324d6b9a3 4. 1/1/2018-15:15-66bd00e43ff8b932c14140472c4b8cc6

/boot/initrd.img

  1. 1/1/2018-14:00-ff6626c69507a6f511cc398998905670
  2. 1/1/2018-14:30-ff6626c69507a6f511cc398998905670
  3. 1/1/2018-15:00-cc273fe9d442850fa18c31c88c823e07
  4. 1/1/2018-15:30-cc273fe9d442850fa18c31c88c823e07
A
  1. 1/1/2018-15:15-66bd00e43ff8b932c14140472c4b8cc6

The HASH has changed so that means the file was changed here.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You are analyzing a packet capture file and notice that a host made a connection with another host using a nonstandard port. Which line would make a connection with the other host?

  1. Mkdir/local/user/bin/tempdirectory
  2. Ping -c 15 8.8.4.4 - 1500
  3. Traceroute 8.8.4.4
  4. nc -1 192.168.27.41 -p 1337
  5. pskill pid 4723
  6. dig 8.8.8.8
A
  1. nc -1 192.168.27.41 -p 1337
How well did you know this?
1
Not at all
2
3
4
5
Perfectly