Final Baby

Question 1

Which of the Critical Security Controls specifies conducting security awareness training for a
company’s employees?

Answer 1

CIS Control 17 Incident Response

Question 2

Which of these sub-controls do you think would be the “easiest” for an IT organization to
implement? Why?

Answer 2

CIS Control 4 would be the easiest to implement. Controlled Use of
Administrative Privileges comes down to changing passwords when inserting something new and making
sure that only people with administrative accounts use certain workstations and have enhanced privileges.
Multifactor Authentication and logging Administrative activity are also a factor.

Question 3

Which of the Critical Security Controls is used when a potential security incident occurs within a
company? Why?

Answer 3

CIS Control 19 is used when a security incident occurs.
Incident Response ensures that an incident response team is prepared to handle an incident and detail it to the proper authorities.

Question 4

Which of the Critical Security Controls would application developers be most interested in? Why?

Answer 4

CIS Control 18 would be the most interesting to application developers.
Application Software Security details how to make an application secure using firewalls, analysis tools, and algorithms.

Question 5

The NSA ANT Catalog is a list of technological solutions available to NSA team members.
What does ANT stand for?

Answer 5

Advanced Network Technology

Question 6

What is the name of the NSA “elite hacking force”?

Answer 6

TAO

Question 7

What is the name given to the NSA hacking group by outside malware companies

Answer 7

Equation Group

Question 8

What is the name of the exploit created by TAO which can be used to take full control of a
Microsoft Windows system over SMB?

Answer 8

EternalBlue

Question 9

Who does Jack Rhysider interview for the podcast? What is the name of the interviewee’s
company?

Answer 9

Jake Williams
Rendition InfoSec

Question 10

What is doxing?

Answer 10

Posting someone’s private information on the internet, usually with malicious intent

Question 11

What is name of the Foundation established by Chris as part of his work against child predators

Answer 11

Innocent Lives Foundation

Question 12

What is the name of the Project that law enforcement asks for the public’s help in cataloging the
appearance of different hotel rooms in helping to identify the location in which child pornography
images might have been taken?

Answer 12

The Polaris Project

Question 13

What is the world’s most popular network packet sniffer?

Answer 13

Wireshark

Question 14

What is a packet sniffer?

Answer 14

A computer program that can intercept and log traffic that passes over a computer network or part of a network.

Question 15

What is the command line version of Wireshark?

Answer 15

Wireshark -h

Question 16

TCP and FTP are unencrypted protocols? T or F

Answer 16

T

Question 17

ARP is an unencrypted protocol? T or F

Answer 17

F

Question 18

What is penetration testing?

Answer 18

A cyber security professional is authorized to emulate a malicious attacker by
attempting to hack into the company and its systems.

Question 19

What is the first phase of Penetration Testing?

Answer 19

Pre-engagement, working with the client to understand how big the job is gonna
be, understanding why they want to do this job. Give the client the best value for their money.

Question 20

What is the second phase of Penetration Testing?

Answer 20

Engagement, performing reconnaissance and scanning the system for any vulnerabilities,
accessing the system, and figuring out what you have access to once you break in.

Question 21

What is the third phase of Penetration Testing?

Answer 21

Post-Engagement, taking all the information from the testing and creating a finance report.
Telling the client what you did and telling them evidence of issues that were found and telling them how
to fix those issues.

Question 22

The difference between an attacker and a penetration tester is that a professional penetration tester
will always have what?

Answer 22

A penetration tester has permission

Question 23

How long is a MD5 hash in bits? Bytes?

Answer 23

128 bits
16 bytes

Question 24

How long is a SHA256 file hash in bits? Bytes?

Answer 24

256 bits
32 bytes

Question 25

Why would a member of law enforcement need to calculate the file hash for a file?

Answer 25

Law enforcement can calculate a hash file and then compare it to already discovered malicious
content that is in their database. If anything is similar than it is illegal.

Question 26

Why would someone else want to calculate a file hash after downloading a file?

Answer 26

Someone would calculate the hash of a recently downloaded file and look up what the correct
hash is supposed to be. If they are different than the file is fraudulent/malicious.

Question 27

What is OSINT?

Answer 27

Open-source intelligence

Gathering techniques can be used by cyber security
professionals and malicious parties alike to a wide variety of information about a target, whether
that target is an individual or an organization.

Question 28

What is some information dnslytics.com shows?

Answer 28

The domain name, administrative contact,
technical contact, when the domain was activated and will expire.

Question 29

What is the main security concern with companies running IIS 7.5 after January 14th, 2020

Answer 29

It will not be supported by Microsoft.

Question 30

Shodan can do what?

Answer 30

Show how many hosts are on a target network.

Question 31

What is Nmap?

Answer 31

It is the most popular security tool in use today.

Used to scan a network and view ports, device names, and operating systems

Question 32

Why would an attacker want to clear out an event log?

Answer 32

To remove evidence of any wrongdoing

Question 33

What is a command used by a “normal” user to elevate
their privileges to administrator-level access. What is the name of this command?

Answer 33

Windows: User Account Control
Linux: Sudo

Question 34

If a user is a system administrator for an organization, how many different user accounts (at a
minimum) would they have?

Answer 34

An admin account and a regular account for regular work

Question 35

In Cuckoo’s Egg which software had vulnerability in it that allowed the attacker to overwrite another file on the affected system?

Answer 35

The Gnu program

Question 36

What is the meaning of the title of Cliff Stoll’s book - “The Cuckoo’s Egg

Answer 36

A cuckoo lays its eggs in another bird’s nest like a parasite. This thing is entirely reliant on other birds being tricked.
Cliff calls the hacker a Cuckoo because they laid their “egg” in the gnu and was given administrator
access.

Question 37

As explained by Chris, what is the common thread between all attackers

Answer 37

All attackers want to steal something, money, intellectual property, personal info, time, or reputation. Reputation can be someone’s website or social media being hacked and changed.

Question 38

How long did the “Shellshock” vulnerability exist before it was discovered and disclosed to the general public? What system did it affect? What access did it give?

Answer 38

It lasted 30 years before it was discovered.
Unix-based systems.
Unrestricted Access

Question 39

A cyber attack must only be as “
______________
” as it has to be?

Answer 39

Sophisticated

Question 40

Where are the three places discussed that clear text passwords can exist?

Answer 40

In the user’s head
In transit on the network
In limited places in the operating system

Question 41

What is the name of the tool Chris uses to dump clear text passwords from the operating system’s
running memory?

Answer 41

Mimikatz.exe

Question 42

What tool does Chris use to decrypt password hashes?

Answer 42

John the Ripper

Question 43

How is the UEFI rootkit installed?

Answer 43

You get it by installing Absolute Software’s
LoJack.

Question 44

How does the UEFI rootkit work?

Answer 44

Instead of communicating with Absolute’s server it
communicates with Fancy Bear’s. It then adds a malicious UEFI module to the firmware image, this
effectively installs the rootkit to the system.

Question 45

How can the UEFI rootkit be removed?

Answer 45

The only way to remove it is to flash the
firmware. This basically means the user has to overwrite existing data or firmware, that is currently used
on an electronic device, with different, new data

Question 46

Which attacker group is being named as the party responsible for the UEFI rootkit?

Answer 46

Fancy Bear

Question 47

If a corporate network is known to be compromised, what form of communication should employees
not use?

Answer 47

Email

Question 48

What is OPSEC?

Answer 48

OPSEC stands for Operational Security.

OPSEC identifies actions, programs, or processes that could be vulnerable to a hacker on the
outside. Looking at processes from an outsider view lets OPSEC teams locate issues that could have been
overlooked and develop countermeasures for these problems. This helps keep sensitive data secure.

Question 49

What are three different risks associated with ad networks

Answer 49

They manipulate your browser, they inject
scripts, and build profiles of users and systems.

Question 50

What is one way to block the risks associated with ad networks on the systems that you manage

Answer 50

Don’t allow scripts to run without approval

Question 51

For Cyber Security professionals practicing OPSEC, how should we consider browsing the Internet to
ensure safety and reduce (if not eliminate) the impact of malware?

Answer 51

Don’t allow scripts to run without approval.
⦁ Disable password manager autofill
⦁ Disable browser prefetch
⦁ Do work browsing from a VM

Question 52

Describe attacker pivoting

Answer 52

Attacker’s want to get in, do what they want, then get out
without leaving a trace.

Question 53

What is “living off the land”?

Answer 53

Using tools and services that already exist in malicious ways. Netcat is an example, cannot be
traced back to the attacker, can be used for port scanning, transferring data, honeypotting (setting up a
fake service), and also redirecting network traffic.

Question 54

Specify three different types of online accounts people would want to enable 2FA for.

Answer 54

Email, bank, and work

Question 55

What are two ways in which you can overcome bias?

Answer 55

Understand how bias affects you, make evidence based decisions

Question 56

What are five sources of intelligence

Answer 56

Humans, recovered media, breaches, third parties (financial Records), intercepted communication

Question 57

What specific type of malware could spread with the permissions assigned to ‘Everyone’?

Answer 57

Worms or ransomware

Question 58

Dictionary attack?

Answer 58

an attempted illegal entry to a computer system that uses a dictionary headword list to generate possible passwords.

Question 59

What are four concerns discussed with regards to evidence handling?

Answer 59

Permission
Volatility
Pollution
Chain of Custody

Question 60

Class A Extinguisher?

Answer 60

puts out wood and paper

Question 61

Class B Extinguisher?

Answer 61

puts out flammable liquids

Question 62

Class C Extinguisher?

Answer 62

puts out electrical fires

Question 63

Class D Extinguisher?

Answer 63

puts out flammable metals

Question 64

What are steps that should be taken next to address a malicious program.

Answer 64

Disconnect the system from the company’s network.
Completely wipe the system and re-install the operating system.
Restore any lost data from a last known good backup.
Determine how the executable got on the user’s system
Determine what activity the malware was being used to do.
Escalate to the company’s Cyber Security team.

Question 65

What is ransomware?

Answer 65

Malware that prevents a user’s device from properly and fully functioning until a fee is paid.

Question 66

What is a worm?

Answer 66

A malicious program that uses a computer network to replicate

Question 67

What is a virus?

Answer 67

Malicious computer code that reproduces itself on the same computer.

Question 68

What is a logic bomb?

Answer 68

Computer code that lies dormant until it is triggered by a specific logical event.

Question 69

What is fileless malware?

Answer 69

Uses PowerShell to execute attacks. With no traces

Question 70

What is the layering principle?

Answer 70

Mulitple defenses

Question 71

What is the limiting principle?

Answer 71

Access is lowered

Question 72

What is the diversity principle?

Answer 72

Using different vendors, people on your system

Question 73

What is the obscurity principle?

Answer 73

Not revealing computer or hardware information

Question 74

What is the simplicity principle?

Answer 74

Simple from the inside, complex on the outside

Question 75

Availability is the most overlooked aspect of C-I-A in organizations today. T or F

Answer 75

T

Question 76

Confidentiality

Answer 76

Ensures that only authorized parties can view the information

Question 77

Integrity

Answer 77

Ensures that the information is correct and no unauthorized person or malicious software has altered that data

Question 78

Authentication

Answer 78

Provides proof of the genuineness of the user

Question 79

Non-repudiation

Answer 79

Proves that a user performed an action

Question 80

Obfuscation

Answer 80

Makes something obscure or unclear.

Question 81

What does a hash algorithm do?

Answer 81

A hash algorithm creates a unique “digital fingerprint” of a set of data

Question 82

What is a symmetric algorithm?

Answer 82

One key is used to encrypt and decrypt the algorithm

Question 83

Asymmetric algorithm?

Answer 83

Two keys are used, one to encrypt and one to decrypt

Question 84

The RSA is a symmetric algorithm T or F

Answer 84

False

Question 85

How many bits is an MD5 algorithm?

Answer 85

128 bits
32 characters

Question 86

What is Hydra?

Answer 86

A brute force attack program.

Question 87

In the diamond model of intrusion analysis what would the attacker be?

Answer 87

The adversary

Question 88

What does Simple Network Managing Protocol (SNMP) do? Port Number?

Answer 88

a networking protocol used for the management and monitoring of network-connected devices in Internet Protocol networks. (Port 161)

Question 89

What is an eavesdropping attack?

Answer 89

When a hacker intercepts, deletes, or modifies data that is transmitted between two devices.

Question 90

What is war driving?

Answer 90

The act of locating and possibly exploiting connections to wireless local area networks while driving around a city or elsewhere.

Question 91

What port is htttps commonly on?

Answer 91

port 443

Question 92

What port is smtp (Simple mail transport protocol) commonly on?

Answer 92

Port 25

Question 93

What port is FTP (File transfer protocol) commonly on?

Answer 93

port 21

Question 94

What is a privilege escalation attack?

Answer 94

An attacker can increase their privilege’s to a network.

Question 95

What is an SQL injection?

Answer 95

An attacker sends unfiltered commands to a database.

Question 96

Describe the 802.11a specification? Ghz and frequency

Answer 96

5 GHz
54 Mbps

Question 97

Describe the 802.11b specification?

Answer 97

2.4 GHz
11 Mbps

Question 98

Describe the 802.11n specification?

Answer 98

2.4 & 5 GHz
600 Mbps

Question 99

Describe the 802.11ac specification?

Answer 99

5 GHz
7.2 Mbps

Question 100

Which of the following can be used to physically secure someone’s laptop to prevent it from being stolen when left in an office, at home or while on the road such as in a hotel room?

Answer 100

Cable lock

Question 101

Which of the following is a random string used when encrypting user passwords - for additional security which can limit the effectiveness of different password attacks?

Answer 101

A salt

Question 102

In order to perform a walk through simulation of its incident response processes, or any other types of written procedures, an organization could conduct which of the following?

Answer 102

Tabletop exercises

Question 103

Years after the events detailed in Cliff Stoll’s The Cuckoo’s Egg, Hans “Pengo” Hubner now works as ?

Answer 103

Pengo is now working as a professional programmer as a data processing engineer(Healthcare systems)

Question 104

Which one of the following is considered a popular vulnerability scanner solution?

Answer 104

Nessus

Question 105

Which of the following would be considered an Industrial Control System?

Answer 105

PLC (Programmable Logic Controller)

Question 106

What is a technical access control?

Answer 106

Anything that limits users from accessing data
Encryption, biometrics, firewalls

Question 107

Which of the following best practices for access control can help reduce employee “burnout” while also being used to help identify malicious insiders?

Answer 107

Job Rotation

Question 108

You run an Nmap scan of a corporate system and discover three open services running on TCP 21, TCP 80 and UDP 161. How many of these services should be scanned for vulnerabilities on a regular basis?

Answer 108

3

Question 109

What is the name of the metal enclosure that can be used to completely block electromagnetic fields and protect systems from electromagnetic interferance or electormagnetic eavesdropping?

Answer 109

Faraday cage

Question 110

Most cyber security experts agree that the only way for organizations to recover from a ransomware infection is to?

Answer 110

Reinstall software and revert to backups

Question 111

List the six different phases of the incident handling process in correct order.

Answer 111

Preparation, identification, containment, eradication, recovery, lessons learned

Question 112

Which of the following data destruction methodologies ensures that data stored on electromagnetic media is permanently and irrevocably destroyed?

Answer 112

Degausse

Question 113

Which of the following protocols was designed at MIT and is used as the main network authentication protocol in Windows environments with Active Directory?

Answer 113

Kerberos