Final Deck

Question 1

What are the steps in collecting forensic data?

Answer 1

1. Secure physical and remote access to the system before it can be altered
2. Begin eDiscovery. Place on legal hold.
3. Classify evidence according to the order of volitility
4. Acquire data using relevant tools
5. Preserve the data in accountable, unalterable form
6. Analyze collected data to determine what is relevant to the case
7. Assemble your findings into a report

Question 2

What is the order of volatility?

Answer 2

1. CPU registers and cache memory
2. Routing tables, ARP cache, process tables, and kernel stats
3. Other RAM contents
4. Swap files or other temporary file systems
5. Other data on hard drives or flash media
6. Network logging data
7. Firmware of physical configuration
8. Archival media such as optical disks or printouts.

Question 3

This software is placed on some network appliance such as a firewall or router. It scans all outgoing data passing through that point. It can protect the entire organization, but it can’t scan something like encrypted data sent over a TLS connection, or someone copying data to an unauthorized system or storage device inside the network.

Answer 3

Network-based DLP

Question 4

This software can protect all data which passes through the endpoint it’s installed on, such as stored files, print jobs, encrypted network connections, and data copied to USB drives. The drawbacks are that it must be installed on every endpoint that handles sensitive data and that it might be compromised by any
attack which compromises that host.

Answer 4

Endpoint DLP

Question 5

What protocol is a means of securely transferring computer files between a local host and a remote host or between two remote hosts. It is based on the Secure Shell (SSH) protocol.

Answer 5

Secure Copy Protocol (SCP)

Question 6

What type of injection attack is this an example of?

&(USER=john90)(&))(PASSWORD=Pwd)

Answer 6

LDAP injection

Question 7

What type of injection attack is this an example of?

SELECT * FROM Users WHERE Name =”” or “”=”” AND Pass =”” or “”=””

Answer 7

SQL injection

Question 8

What type of injection attack is this an example of?
db.collection.find( { $where: function() {
return (this.name == ‘a’; sleep(5000) ) } } )

Answer 8

NoSQL injection (specifically Javascript against a MongoDB database)

Question 9

What type of injection attack is this an example of?

http://www.example.com/create_user.php?name=thomas&password=hfdj7!dn0thomas@mail.com

Answer 9

XML injection

Question 10

What type of injection attack is this an example of?
?xml version=”1.0” encoding=”UTF-8”?
!DOCTYPE foo [ !ENTITY xxe SYSTEM “file:///etc/passwd” ]
stockCheck>&xxe;

Answer 10

XML External Entities

Question 11

Which OSI layer is affected by DoS attacks such as cutting cables and wireless jamming

Answer 11

OSI Layer 1: Physical

Question 12

Which OSI layer is often attacked by targeting insecure protocols or routers, usually comes from within the network, and includes MAC flooding or ARP poisoning?

Answer 12

OSI Layer 2: Data Link

Question 13

Which OSI layer can be targeted remotely and include ping floods and ICMP attacks?

Answer 13

OSI Layer 3: Network

Question 14

Which OSI layer involves TCP/UDP and is often attacked by port scanning?

Answer 14

OSI Layer 4: Transport

Question 15

Parameter based, session restoration, DOM based, javascript based and XSS are all methods of what attack?

Answer 15

URL redirection

Question 16

What type of DDOS attack is most common?

Answer 16

Network based

Question 17

What is the DOS technique that floods the target with enough data or requests that it can’t respond to all of them?

Answer 17

Resource Exhaustion

Question 18

Which DOS attack sends so many ICMP ping requests that it consumes the hosts network bandwidth and system resources?

Answer 18

ping flood

Question 19

Which DDOS attack relies on IP spoofing to generate overwhelming traffic from unrelated systems

Answer 19

reflected attack

Question 20

Which DDOS attack is like a ping flood, but instead of pinging the target directly, the attacker pings a lot of other systems with spoofed IP return addresses.

Answer 20

smurf attack

Question 21

Which DDOS attack floods random ports on a remote host. This causes the host to repeatedly check for the application listening at that port, and (when no application is found) reply with an ICMP ‘Destination Unreachable’ packet.

Answer 21

UDP Flood

Question 22

In which DDOS attack does the requester sends multiple SYN requests, but either does not respond to the host’s SYN-ACK response, or sends the SYN requests from a spoofed IP address.

Answer 22

SYN flood

Question 23

Which DDOS attack sends multiple malformed or malicious pings to a computer.

Answer 23

Ping of Death

Question 24

In the industrial sector, DDOS attacks can be particularly dangerous to which systems?

Answer 24

Industrial Control Systems (ICS)

Question 25

Which type of hacker describes someone who is new to hacking and is not particularly skilled?

Answer 25

Green Hat

Question 26

Which type of hacker is like a white hat hacker by Microsoft’s definition, but by other’s definition is a vengeful hacker?

Answer 26

Blue Hat

Question 27

Which type of hacker may be a hacker that hacks Linux, but also can describe a vigilante hacker who goes after black hats?

Answer 27

Red Hat

Question 28

Which web is hidden and does not show up on traditional search results?

Answer 28

Deep Web

Question 29

Which web is part of the deep web, but also requires additional software to access?

Answer 29

Dark web

Question 30

What is a piece of forensic data which is associated with malicious activity on a system or network. They can include IoAs found in logging systems; they also include unusual login behaviors or privileged actions, unexpected outbound network traffic, or unauthorized configuration changes

Answer 30

Indicators of Compromise (IOC)

Question 31

Is vulnerability scanning active or passive?

Answer 31

passive

Question 32

Which initiative was created by National Cybersecurity and Communications Integration Center (NCCIC) for collaborating on threat indicators. Vulnerability indicators can be quantified in standard formats such as CVSS, encoded in languages like OVAL, and shared by protocols such as SCAP.

Answer 32

Automated Indicator Sharing (AIS) initiative

Question 33

L2TP provides tunneling but not encryption. What should be combined with L2TP for a better tunnel?

Answer 33

IPsec

Question 34

Which protocol encrypts VPN traffic over SSL?

Answer 34

Secure Socket Tunneling Protocol (SSTP)

Question 35

What is used by admins to control computers that are connecting to the network over VPN?

Answer 35

Network Access Control (NAC)

Question 36

Which software is used by NTFS to provide file level encryption

Answer 36

Encrypting File System (EFS)