Final Deck Flashcards
What are the steps in collecting forensic data?
- Secure physical and remote access to the system before it can be altered
- Begin eDiscovery. Place on legal hold.
- Classify evidence according to the order of volitility
- Acquire data using relevant tools
- Preserve the data in accountable, unalterable form
- Analyze collected data to determine what is relevant to the case
- Assemble your findings into a report
What is the order of volatility?
- CPU registers and cache memory
- Routing tables, ARP cache, process tables, and kernel stats
- Other RAM contents
- Swap files or other temporary file systems
- Other data on hard drives or flash media
- Network logging data
- Firmware of physical configuration
- Archival media such as optical disks or printouts.
This software is placed on some network appliance such as a firewall or router. It scans all outgoing data passing through that point. It can protect the entire organization, but it can’t scan something like encrypted data sent over a TLS connection, or someone copying data to an unauthorized system or storage device inside the network.
Network-based DLP
This software can protect all data which passes through the endpoint it’s installed on, such as stored files, print jobs, encrypted network connections, and data copied to USB drives. The drawbacks are that it must be installed on every endpoint that handles sensitive data and that it might be compromised by any
attack which compromises that host.
Endpoint DLP
What protocol is a means of securely transferring computer files between a local host and a remote host or between two remote hosts. It is based on the Secure Shell (SSH) protocol.
Secure Copy Protocol (SCP)
What type of injection attack is this an example of?
&(USER=john90)(&))(PASSWORD=Pwd)
LDAP injection
What type of injection attack is this an example of?
SELECT * FROM Users WHERE Name =”” or “”=”” AND Pass =”” or “”=””
SQL injection
What type of injection attack is this an example of?
db.collection.find( { $where: function() {
return (this.name == ‘a’; sleep(5000) ) } } )
NoSQL injection (specifically Javascript against a MongoDB database)
What type of injection attack is this an example of?
http://www.example.com/create_user.php?name=thomas&password=hfdj7!dn0thomas@mail.com
XML injection
What type of injection attack is this an example of?
?xml version=”1.0” encoding=”UTF-8”?
!DOCTYPE foo [ !ENTITY xxe SYSTEM “file:///etc/passwd” ]
stockCheck>&xxe;
XML External Entities
Which OSI layer is affected by DoS attacks such as cutting cables and wireless jamming
OSI Layer 1: Physical
Which OSI layer is often attacked by targeting insecure protocols or routers, usually comes from within the network, and includes MAC flooding or ARP poisoning?
OSI Layer 2: Data Link
Which OSI layer can be targeted remotely and include ping floods and ICMP attacks?
OSI Layer 3: Network
Which OSI layer involves TCP/UDP and is often attacked by port scanning?
OSI Layer 4: Transport
Parameter based, session restoration, DOM based, javascript based and XSS are all methods of what attack?
URL redirection
What type of DDOS attack is most common?
Network based
What is the DOS technique that floods the target with enough data or requests that it can’t respond to all of them?
Resource Exhaustion
Which DOS attack sends so many ICMP ping requests that it consumes the hosts network bandwidth and system resources?
ping flood
Which DDOS attack relies on IP spoofing to generate overwhelming traffic from unrelated systems
reflected attack
Which DDOS attack is like a ping flood, but instead of pinging the target directly, the attacker pings a lot of other systems with spoofed IP return addresses.
smurf attack
Which DDOS attack floods random ports on a remote host. This causes the host to repeatedly check for the application listening at that port, and (when no application is found) reply with an ICMP ‘Destination Unreachable’ packet.
UDP Flood
In which DDOS attack does the requester sends multiple SYN requests, but either does not respond to the host’s SYN-ACK response, or sends the SYN requests from a spoofed IP address.
SYN flood
Which DDOS attack sends multiple malformed or malicious pings to a computer.
Ping of Death
In the industrial sector, DDOS attacks can be particularly dangerous to which systems?
Industrial Control Systems (ICS)
Which type of hacker describes someone who is new to hacking and is not particularly skilled?
Green Hat
Which type of hacker is like a white hat hacker by Microsoft’s definition, but by other’s definition is a vengeful hacker?
Blue Hat
Which type of hacker may be a hacker that hacks Linux, but also can describe a vigilante hacker who goes after black hats?
Red Hat
Which web is hidden and does not show up on traditional search results?
Deep Web
Which web is part of the deep web, but also requires additional software to access?
Dark web
What is a piece of forensic data which is associated with malicious activity on a system or network. They can include IoAs found in logging systems; they also include unusual login behaviors or privileged actions, unexpected outbound network traffic, or unauthorized configuration changes
Indicators of Compromise (IOC)
Is vulnerability scanning active or passive?
passive
Which initiative was created by National Cybersecurity and Communications Integration Center (NCCIC) for collaborating on threat indicators. Vulnerability indicators can be quantified in standard formats such as CVSS, encoded in languages like OVAL, and shared by protocols such as SCAP.
Automated Indicator Sharing (AIS) initiative
L2TP provides tunneling but not encryption. What should be combined with L2TP for a better tunnel?
IPsec
Which protocol encrypts VPN traffic over SSL?
Secure Socket Tunneling Protocol (SSTP)
What is used by admins to control computers that are connecting to the network over VPN?
Network Access Control (NAC)
Which software is used by NTFS to provide file level encryption
Encrypting File System (EFS)
