Focused ECIHv2 Study Guide

Question 1

What is the Risk equation?

Answer 1

Risk = Threat X Vulnerabilty

Question 2

In Order, What is the Risk Assessment Process?

Answer 2

1. System Characterization
2. Threat Identification
3. Vulnerability Identification
4. Control Analysis
5. Likelihood Analysis
6. Impact Analysis
7. Risk Determination
8. Control Recommendation
9. Risk Assessment Report

Question 3

What is PILAR?

Answer 3

Risk Analysis and Management Software

Question 4

What is the purpose of Incident Response Orchestration - Automation?

Answer 4

To automatically notify a person when there’s an incident.

Question 5

ISO/IEC 27000

Answer 5

Overview and introduction of the information security management systems

Question 6

ISO/IEC 27001

Answer 6

The Information Security Management System (ISMS) requirements

Question 7

ISO/IEC 27002

Answer 7

Code of practice for information security controls

Question 8

ISO/IEC 27003

Answer 8

Information Security Management System implementation guidance

Question 9

ISO/IEC 27004

Answer 9

Information Security Management

Question 10

ISO/IEC 27005

Answer 10

Information Security Risk Management

Question 11

ISO/IEC 27006

Answer 11

Requirements for bodies providing audit and certification of Information Security Management Systems

Question 12

ISO/IEC 27007

Answer 12

Guidelines for Information Security Management Systems auditing

Question 13

ISO/IEC TR 27008

Answer 13

Guidance for auditors on ISMS controls

Question 14

ISO/IEC 27009

Answer 14

Guidelines for those producing sector or industry-specific ISO27k standards

Question 15

ISO/IEC 27010

Answer 15

Information Security Management for inter-sector and inter-organizational communications

Question 16

NIST 800-86

Answer 16

Incident Response Approach

Question 17

NIST 800-61 Rev.2

Answer 17

Incident handling guide

Question 18

RFC 2196

Answer 18

RFC 2196 builds on RFC 1244 and is a guide to setting computer security policies

Question 19

COBIT IT

Answer 19

Governance framework that emphasizes compliance and helps increase the value of ID

Question 20

NIST 800-61

Answer 20

Step-by-step instructions for new and established incident response teams

Question 21

Graham-Leach-Bliley Act (GLBA)

Answer 21

Deals with financial institutions, specifically PII

Question 22

Sarbanes-Oxley (SOX)

Answer 22

Fair and accurate corporate reporting. Deals with corporate fraud.

Question 23

General Data Protection Regulations (GDPR)

Answer 23

Article 32: Speaks to the CIA triad and the ability to restore PII on time

Article 33: Must notify if data is breached within 72 hours, if possible

Question 24

NIST: Incident Handling Criteria and Reporting Timeframe

Answer 24

Cat 0 Exercise/Network Defense Testing
Cat 1 Unauthorized Access – 1 hour
Cat 2 DOS – 2 hours
Cat 3 Malicious code – 1 hour
Cat 4 Inappropriate usage - Weekly
Cat 5 Scan/Probe/Attempting access – Monthly
Cat 6 Investigation

Question 25

buck-security

Answer 25

Linux tools which identify the security status of a system

Question 26

Kiwi Syslog Server

Answer 26

Centrally manages Syslog messages

Question 27

Splunk

Answer 27

Collects, monitors and analyzes log files

Question 28

Microsoft Baseline Security Analyzer

Answer 28

Gets the security posture of a Windows system, indicates whether a system is missing security patches.

Question 29

Magic Tree

Answer 29

Reporting tool using a tree structure

Question 30

KeepNote

Answer 30

Multi-platform notetaking software.

Question 31

Forensic Readiness Planning

Answer 31

1. Identify potential evidence
2. Determine source
3. Define a policy that determines the pathway
4. Establish a handling and storing policy
5. Does it require a full or formal investigation?
6. Train staff
7. Special process for documenting
8. Legal advisory board

Question 32

rc.local

Answer 32

The script /etc/rc. local is for use by the system administrator. It is traditionally executed after all the normal system services are started, at the end of the process of switching to a multiuser runlevel. You might use it to start a custom service, for example a server that’s installed in /usr/local.

Question 33

Common Imaging Software

Answer 33

FTK Imager and R-Drive Image

Question 34

Order of Volatility

Answer 34

1. Registers and Cache
2. Routing table, process table, kernel stats, memory
3. Temp files
4. Disk or storage media
5. Remote logging
6. Physical config and network topology
7. Archival media

Question 35

Data Collection Commands

Answer 35

Systeminfo.exe – Windows
PsInfo – Windows
Cat – Linux
Uname – Linux

Question 36

Uptime Commands

Answer 36

• PsUptime – Windows
• Date /t – Windows (show date and time)
• Net Statistics – Windows
• Uptime and W – Linux

Question 37

Process Commands

Answer 37

• Netsat – ab (Windows) All executable files
• ListDLLs (Windows) shows all DLLs
• Pslist.exe (Window) shows running processes and
uptime
• Pmdump (Windows) tries to help find rogue
processes
• Top (Linux) system info summary as well as
processes and threads
• W (Linux) current processes per user
• Ps root’s processes
• Pstree shows processes in a tree form

Question 38

Network Commands

Answer 38

• Nbstat -c contents (cache name and ip)
• Netstat -ano (all connections and even ports)
• Netstat -r (routing table and frequent routes)

Question 39

Cyber Triage

Answer 39

Simplified collection and analysis of endpoint data

Question 40

Process Explorer

Answer 40

DLLs of processes – Can show you malware hits on Virus Total

Question 41

Forensic Explorer

Answer 41

Undelete and slack space

Question 42

Forensic toolkit (FTK)

Answer 42

decryption and password cracking

Question 43

Event Log Explorer

Answer 43

Event logs in Windows

Question 44

OSForensics

Answer 44

Discover relevant forensic data through searching and indexing as well as undelete, also cheap

Question 45

Helix3

Answer 45

Gives visibility across your entire network revealing internet abuse, data sharing and harassment

Question 46

Autopsy

Answer 46

view file system, restore deleted data and timeline analysis

Question 47

EnCase

Answer 47

Does pretty much everything, very expensive

Question 48

Foremost

Answer 48

Linux recovers files based on headers, footers and internal data structures

Question 49

Golden Ticket

Answer 49

Stolen Kerberos ticket

Question 50

Syscall Proxying

Answer 50

Remote commands

Question 51

Userland Execve Technique

Answer 51

Unix process load and execute ELF binary image

Question 52

ADS (Alternate data stream)

Answer 52

Hide files in NTFS

Question 53

Trail Obfuscation

Answer 53

Trying to mislead investigators

Question 54

Preparing Malware Testbed Steps

Answer 54

Step 1: Allocate a physical system for the analysis lab
Step 2: Install virtual machine on the system
Step 3: Install guest OS on the virtual machine
Step 4: isolate the system for the network by ensuring that the NIC card is in “host only” mode
Step 5: Simulate internet services using tools such as iNetSim
Step 6: Disable the “shared folders” and the “guest isolation”
Step 7: Install malware analysis tools
Step 8: Generate hash value of each OS and tool
Step 9: Copy the malware over to the guest OS

Question 55

Live System/Dynamic Analysis

Answer 55

A malware detection technique for live systems that are operational

Question 56

Intrusion Analysis

Answer 56

A malware detection technique that utilizes logs and alerts of IDS, SIEMS, etc…

Question 57

TCPView

Answer 57

GUI TCP viewer

Question 58

Process Monitor

Answer 58

GUI that allows filtering of real time monitoring, you can use it to drill down clear to driver stack information and see individual commands sent over the network to the machine. You can also right click on the process and search it online.

Question 59

Registry Monitoring Tools

Answer 59

Regshot
Reg Organizer
Registry Viewer
RegScanner
Registrar Registry Manager

Question 60

Autoruns

Answer 60

Monitors autoruns, you can verify signatures and jump to reg key or file location

Question 61

SIGVERIF

Answer 61

Checks file and folder integrity by verifying hash values

Question 62

HashMyFiles

Answer 62

Hashes files

Question 63

IDA Pro

Answer 63

Multi-platform disassembler and debugger through instruction tracing, functions tracing, read/write/execute tracing

Question 64

Memory Dump Analysis Using Volatility Framework

Answer 64

connections - 
connscan - 
psscan - 
pstree - 
malfind - 
apihooks - 
printkey - 
idt - 
threads - 
modscan - 
getsids - 
filescan - 
sockets - 
mutantscan -

Question 65

SSDT View and ReKall

Answer 65

Identify SSDT patching by rootkits

Question 66

RogueKiller

Answer 66

Identifies kernal-mode rootkits

Question 67

CapLoad and Wireshark

Answer 67

Detect malicious beaconing traffic

Question 68

PRTG Network Monitor and GFI Languard

Answer 68

Identify unwanted traffic to malicious and unknown external entities

Question 69

Mail Bombing

Answer 69

DOS attack by overloading an email box

Question 70

Mail Storming

Answer 70

DOS by reply all to large distribution lists

Question 71

Spear Phishing

Answer 71

Targeted at a specific person or group

Question 72

Whaling

Answer 72

Targeting high profile people, like executives

Question 73

Pharming

Answer 73

Redirecting traffic using DNS poisoning or host file modification

Question 74

Spimming

Answer 74

Spam on Instant Messanger

Question 75

Puddle Phishing

Answer 75

Targeting small organizations

Question 76

CEO Scam

Answer 76

Impersonating a CEO to get employees to do something for you (Like the Google Play card scams that are super common)

Question 77

Netcraft

Answer 77

Neighborhood watch scheme to help defend community against phishing – also includes a toolbar that gives a website a risk rating

Question 78

PhishTank

Answer 78

Open API for developers and researchers to integrate anti-phishing data into their applications

Question 79

MxToolbox

Answer 79

Makes email headers human readable by parsing them according to RFC 822

Question 80

Email Dossier, Email Address Verifier, emailvalidator, Email Checker, and G-Lock Software Email Verifier

Answer 80

All email validity checkers

Question 81

eMailTrackerPro

Answer 81

Analyzes email header and reveals sender’s geographical location and IP address

Question 82

EventLog Analyzer

Answer 82

Used to analyze email logs at server level

Question 83

Recover My eMail

Answer 83

Uses Outlook PST or DBX files to recover deleted emails

Question 84

Gophish

Answer 84

Used to create phishing simulations to test your organizations exposure to phasing – usually used to schedule people for additional security awareness training

Question 85

SPAMfighter

Answer 85

An automatic SPAM filter

Question 86

Gpg4win

Answer 86

Email encryption and digital signatures

Question 87

Suricata

Answer 87

IDS/IPS/Network Security Monitoring (NSM)/offline pcap processing

Question 88

Ntopng

Answer 88

Web-based network traffic monitoring released under GPLv3

Question 89

Wireshark - Detect ICMP Ping Sweep Attempts

Answer 89

Icmp.type==8 or icmp.type==0

Question 90

Wireshark - Detect TCP ping sweep

Answer 90

Tcp.dstport==7

Question 91

Wireshark - Detect UDP ping sweep

Answer 91

Udp.dstport==7

Question 92

Wireshark - It is used to see if a port is open, RST response if port is closed

Answer 92

SYN+ACK

Question 93

Wireshark - Used if there is a large amount of RST or ICMP type 3 packets

Answer 93

Stealth Scan

Question 94

Wireshark - Used if the TCP session is less than 4 packets it can be a sign of a TCP port scan

Answer 94

Stealth Scan Detection – Statistics>Conversations>TCP

Question 95

Wireshark - A full three-way handshake to find open ports

Answer 95

A full connect scan

Question 96

Wireshark - Same detection method as stealth scan

Answer 96

TCP full connect scan detection

Question 97

Wireshark - Checks for SYN, SYN+ACK, RST+ACK or ICMP Type 3 packets

Answer 97

Full scan detection

Question 98

Wireshark - Null Scans

Answer 98

TCP packets without a setting flag
RST = Port closed, no response = open or filtered
Detect using TCP.flags==0x000

Question 99

Wireshark - Xmas Scans

Answer 99

Attacker uses FIN, PSH, and URG TCP flags and waits for a response
RST = Port closed, no response = open or filtered
Detect using tcp.flags==0x029

Question 100

Wireshark - ARP poisoning detection

Answer 100

• Duplicate IP address configured messages
• Arp.duplicate-address-detected
• Xarp is another tool that can be used to do this besides Wireshark

Question 101

PromqryUI

Answer 101

Detect network interfaces running in promiscuous mode

Question 102

NMAP

Answer 102

Detect network interfaces running in promiscuous mode using nmap –script=sniffer-detect (target ip address/range of ip addresses)

Question 103

ZENMAP

Answer 103

GUI version of NMAP

Question 104

DoS/DDoS - Volumetric Attacks

Answer 104

o	Measured in bits-per-second
o	UDP Flood
o	ICMP Flood
o	Ping of death
o	Smurf

Question 105

DoS/DDoS - Protocol Attacks

Answer 105

o	Measured in packets-per-second
o	SYN flood
o	Fragmentation
o	ACK flood
o	TCP state exhaustion

Question 106

DoS/DDoS - Application Layer Attacks

Answer 106

o Measured in requests-per-second
o HTTP GET/POST
o Sloworis

Question 107

DoS/DDoS - Permanent Attack

Answer 107

Plashing – Bricks the system (Bad firmware updates)

Question 108

DoS/DDoS - Distributed Reflection Attack

Answer 108

Reflects transmissions of third parties before the target to amplify attack

Question 109

DoS/DDoS Tools

Answer 109

o Low Orbit Ion Cannon – Flood target with UDP, TCP or HTTP packets or requests
o High Orbit Ion Cannon – DDOS version, just select IP/Port/Protocol
o Additional Tools – HULK, Black Hat Hacking Tools, DAVOSET, Tsunami, R-U-Dead-Yet

Question 110

KFSensor

Answer 110

Honeypot software to attract and detect hackers

Question 111

RFC 3704 Filtering

Answer 111

Limits impact by denying spoofed addresses

Question 112

CISCO IPS Source IP Reputation Filtering

Answer 112

Uses Cisco database to check reputation of connection source

Question 113

Black Hole Filtering

Answer 113

Discarding packets at the routing level

Question 114

Anti DDOS Guardian & D-Guard Anti-DDOS Firewall

Answer 114

Anti-DDOS software

Question 115

Incapsula

Answer 115

Mitigates any size attack without impacting legitimate traffic and latency

Question 116

Shell Injection

Answer 116

System (), StartProcess (), java.lang.runtime.exec (), System.Diagnostics.Process.Start ()

Question 117

Cross-Site Request Forgery

Answer 117

Spoofed requests on behalf of the logged in user

Question 118

\’

Answer 118

Single-quote character

Question 119

|

Answer 119

or

Question 120

\%27

Answer 120

Single-quote character

Question 121

--

Answer 121

Double-dash

Question 122

#

Answer 122

Hash

Question 123

\%23

Answer 123

Hex version of #

Question 124

What does the ‘i’ mean at the end of a regular expression?

Answer 124

Case insensitive

Question 125

What does the ‘x’ mean at the end of a regular expression?

Answer 125

Ignore white spaces

Question 126

\%3d

Answer 126

=

Question 127

\%3b

Answer 127

;

Question 128

\%6f

Answer 128

o

Question 129

\%4f

Answer 129

O

Question 130

\%72

Answer 130

r

Question 131

\%52

Answer 131

R

Question 132

\%2e

Answer 132

.

Question 133

\%2f

Answer 133

/

Question 134

\%5c

Answer 134

\

Question 135

16 bit Unicode

Answer 135

Replaces unusual Unicode with %u

Question 136

UTF-8

Answer 136

% followed by the hexcode (%c2 for example)

Question 137

Base64

Answer 137

Represents binary data in printable ASCII characters

Question 138

Hex Encoding

Answer 138

HTML encoding scheme that uses hex values of every character

Question 139

%0a

Answer 139

new line

Question 140

%20

Answer 140

space

Question 141

&amp

Answer 141

&

Question 142

&lt

Question 143

&gt

Answer 143

>

Question 144

Who is the Cloud Consumer?

Answer 144

The User

Question 145

Who is the Cloud Carrier?

Answer 145

Intermediary between user and provider (Transport services)

Question 146

Who is the Cloud Auditor?

Answer 146

Makes independent assessments of cloud service controls

Question 147

Who is the Cloud Broker?

Answer 147

Manages the cloud service and maintains relationship between provider and consumer (the reseller)

Question 148

AICPA SAS 70 Type II

Answer 148

Cloud Security best practice

Question 149

CloudPassage Halo

Answer 149

All security functions needed to deploy servers securely in public and hybrid clouds

Question 150

Pod Slurping

Answer 150

Stealing information using small devices like iPods/iPads/phones/MP3 players/etc

Question 151

Where to find USB Connected History

Answer 151

Windows - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB (Windows)

Mac - System Information->Hardware->USB

Linux - usb-devices

Question 152

ObserveIT

Answer 152

Threat Management solution that monitors user behavior with “eyes on the endpoint”

Question 153

DataRobot

Answer 153

Automated machine learning platform to detect insider threats

Question 154

Ekran System

Answer 154

Helps monitor/detect/analyze user-based insider threats

Question 155

NERC 1300

Answer 155

North America Electric Reliability Corporation

Question 156

Mirekusoft

Answer 156

Uninstaller

Question 157

SysAnalyzer

Answer 157

Malcode analyzer

Question 158

OWASP

Answer 158

Top 10 Web Application Security Risks

Question 159

Cross-site Forgery

Answer 159

Also known as one-click attacks