General

Question 1

What is in CIA triad

Answer 1

Confidentially
Integrity
Availability

Question 2

List 6 step incident response

Answer 2

Prepare
Detection and analysis
Containment
Eradication
Recovery
Post incident activity or lessons learned

Question 3

What are the triple AAA

Answer 3

Stands for accounting, authentication, and authorization

Question 4

What is MITREs model for post attack techniques called

Answer 4

ATT&CK
adversial tactics , techniques, and common knowledge

Question 5

List 7 steps of kill chain attack

Answer 5

Recon
Weaponization
Delivery
Exploitation
Installation
Command and control
Actions on objectives

Question 6

What are the general 5 steps to hacking

Answer 6

Recon
Scanning
Gaining access
maintaining access
Covering tracks

Question 7

What are 5 steps of pen test

Answer 7

Planning
Scanning
Gaining access
Maintaining access
Analysis & reporting

Question 8

List examples of substitution ciphers

Answer 8

Rot13, Caesar cipher, and keyword cipher

Question 9

What is one time pad

Answer 9

It’s unbreakable if properly used. Each person would get copy of pad to encrypt message which was the key

Question 10

What is symmetric crypto

Answer 10

Uses one key to encrypt and decrypt

Question 11

Symmetric key crypto uses what two ciphers and how do they encrypt

Answer 11

Block and stream
Block is by bytes while stream is bit at a time

Question 12

List some symmetric key algorithms

Answer 12

Des,3des, and aes

Question 13

List popular stream ciphers

Answer 13

RC4, seal, and ORYX

Question 14

What two keys does asymmetric crypto use

Answer 14

Public and private

Question 15

List common asymmetric algorithms

Answer 15

RSA, ECC, ECDSA, DSS, el gamal, and diffie hellman

Question 16

List common hash algorithms

Answer 16

Sha, md5, and RACE

Question 17

How does a digital signature get made using PKI

Answer 17

First hashed
Encrypted using private key
Receiver uses public key to decrypt

Question 18

Ocsp versus crl

Answer 18

CRL is list download and checked
While online certificate services protocol checks certificate online to see if valid

Question 19

What is ocsp stapling

Answer 19

Instead of web browser reaching out to ca. Web server caches response from oscp, and then staples response to certificate sent to client

Question 20

What are the 5 threat intelligence lifecycle steps

Answer 20

Planning & requirements
Collection and processing
Analysis
Dissemination
Feedback

Question 21

What are pkcs

Answer 21

Public key cryptographic standards for different uses in PKI infrastructure

Question 22

What is pkcs 7 used for

Answer 22

Sign or encrypt messages

Question 23

What is pkcs 10 used for

Answer 23

It’s standard to be used to request certificate from CA

Question 24

What is pkcs 12 or pfx

Answer 24

File that stores private key, certificate chain, and certificate can be protected by password

Question 25

What are 2 use cases of pkcs 7

Answer 25

Store certificates or CRL lists

Question 26

What does windows event logon type 2 mean

Answer 26

It was an interactive login

Question 27

What does windows event log type 3 mean

Answer 27

It was network login such as connection to shared drive

Question 28

What does windows event logon type 10 mean?

Answer 28

Remote interactive such as rdp or terminal services

Question 29

What trust model does full disk encryption use

Answer 29

Hardware root of trust

Question 30

What are standard operating procedures

Answer 30

Step by step instructions on how to carry out a task

Question 31

What are the iso 27000 standards

Answer 31

Series of standards that provide framework for info sec management practices

Question 32

What is iso 27001

Answer 32

Framework and standards for information security management systems

Question 33

What is operational technology?

Answer 33

It is systems that are used to monitor and manage manufacturing or industrial process assets

Question 34

What is an ics and scada system

Answer 34

industrial control systems
Supervisory control and data acquisition systems

Question 35

What vulnerabilities do legacy industrial systems like modbus possess

Answer 35

Don’t always support authentication, confidentiality, and replay protection

Question 36

What are the 7 logging facility levels in syslog

Answer 36

1 Alert
2 Critical
3 Error
4 Warning
5 Notice
6 Informational
7 Debug

Question 37

What is ntp and what port does it use?

Answer 37

Network time protocol
Uses udp port 123

Question 38

What is log normalization

Answer 38

Converting log data into particular data representation and categorizing consistently

Question 39

Why should logs use UTC time

Answer 39

It’s universal can easily convert to whatever time zone analyst is working in

Question 40

What are the 4 areas in diamond model

Answer 40

Adversary
Capabilities
Infrastructure
Victim

Question 41

What are 2 examples of hardware root of trust devices

Answer 41

TPM and HSM hardware security module

Question 42

What do physical controls do?

Answer 42

Mitigate risks to physical security and also include technical controls

Question 43

What do administrative/managerial controls do?

Answer 43

Mitigate risks by implementing certain processes and procedures

Question 44

What do technical controls do?

Answer 44

Manage risk using technical measures such as antivirus or firewall

Question 45

What are key and compensating controls

Answer 45

Key are ones that are primary and can affect an entire process if they fail

Compensating replace impracticable or unfeasible key controls

Question 46

What is nist sp 800-53

Answer 46

Security and privacy controls for info systems

Question 47

What 2 frameworks are common for cyber security

Answer 47

Iso 2700 series and nist sp 800-37 risk management and sp 800-35 security and privacy controls

Question 48

What is iaas, paas, and saas

Answer 48

Iaas is cloud stuff like vps
Paas platform with some control like azure and
Saas is little to no control like office 365

Question 49

What else are counter measures called in risk management?

Answer 49

Security controls

Question 50

What is user acceptance testing

Answer 50

Where users test stuff like beta testing

Question 51

What is regression testing ?

Answer 51

re-running functional and non-functional tests to ensure that previously developed and tested software still performs as expected after a change

Question 52

What can regression testing help with in security ?

Answer 52

Make sure any new changes don’t introduce new security vulnerabilities

Question 53

What is machine code

Answer 53

Compiled form like a pe file

Question 54

What is assembly code

Answer 54

low-level programming language with a very strong correspondence between the instructions in the language and the architecture’s machine code instructions

Question 55

What is high level code

Answer 55

At a human readable level for humans

Question 56

What is a disassembler

Answer 56

Coverts compiled to assembly

Question 57

What is a decompiler

Answer 57

Converts compiled back into human readable output

Question 58

Do debuggers do dynamic or static analysis

Answer 58

Dynamic

Question 59

What are the 5 stages of threat intelligence

Answer 59

Planning & requirements
Collection & processing
Analysis
Dissemination
Feedback

Question 60

What are the 4 categories in threat intel

Answer 60

Strategic
Tactical
Operational
Technical

Question 61

What is in strategic threat intel category

Answer 61

High level for non technical audiences

Question 62

What is in tactical threat intel category

Answer 62

Details of tactics techniques and procedures TTPs

Question 63

What is in operational Intel category

Answer 63

Actionable info about incoming attacks

Question 64

What is in technical Intel category

Answer 64

Technical threat indicators like hash or C2 IP address

Question 65

What are the 3 ways to assess threat intel sources

Answer 65

Timeliness
Relevancy
Accuracy

Question 66

What is an ISAC

Answer 66

Information sharing and analysis centers

Question 67

Why are ISACs good to use?

Answer 67

They tend to be focused for certain industries like healthcare

Question 68

What are the two benefits of PAM?

Answer 68

Higher level privileges are temporarily given
Auditing is done to monitor what is done

Question 69

What is IAM versus PAM

Answer 69

Identity access management is 5 Ws of access to resources. Also management of passwords and user lifecycle
Privileged access management is subset of IAM. Identifies accounts needing privileged access, and specifies policies that apply to them

Question 70

What is Microsoft’s PIM

Answer 70

Provides time based and approval based privileged access. Some vendors include this in their PAM product they sell

Question 71

What is JIT PAm

Answer 71

Just in time which refers to given privileged access only for a certain time period to do the jobs or tasks that require it

Question 72

What is a sla

Answer 72

Service level agreement between provider and client about metrics, responsiveness, and responsibilities

Question 73

What is an SLO

Answer 73

Service level objective is an agreement about a specific metric or response time

Question 74

What is an SLI

Answer 74

Service level indicator is used to measure compliance with a SLO and SLA

Question 75

What are operational controls

Answer 75

Executed by company personnel during day to day operations

Question 76

3 examples of operational security controls

Answer 76

Change management
Security awareness training
Business continuity plan

Question 77

What are deterrent controls

Answer 77

Includes some preventative controls like guard dog. Meant to deter someone like cctv or warning sign

Question 78

What are detective controls

Answer 78

Used to investigate an incident examples are log files and CCTV

Question 79

What are Corrective/responsive controls

Answer 79

Actions you take to recover from incident like restore from back up tape. Or a fire suppression system

Question 80

What are preventative controls

Answer 80

In place to deter an attack like security guard with dog. Disabling user accounts and OS hardening

Question 81

What is DAC

Answer 81

Discretionary access control based on user and permission to objects such as NTFS full control

Question 82

What is mandatory access control?

Answer 82

Based on classification level of data such as top secret, secret, and confidential

Question 83

In Linux permissions what are these area -r-srwxr-x

Answer 83

Left part is type such as d for folder, l for link, and - for normal file
The next 3 parts are permissions left is owner,group, and all others
s means a setuid has been set and regular user will execute it with privileges of owner

Question 84

What is useful about sticky bit in Linux

Answer 84

Has t means anyone can write but only owner can delete files

Question 85

What is time offset

Answer 85

Regional time of where data was collected

Question 86

What is Time synchronization ?

Answer 86

Evidence from multiple time zones put in one time such as UTC. Also a protocol like NTP used so all devices have correct time

Question 87

What port does ntp use

Answer 87

Port 123

Question 88

What is STIX

Answer 88

It’s a standard for sharing information about cyber threats and to share cyber threat intel. Version 2 is json

Question 89

What is a Stix domain object ?

Answer 89

Sdo’s allow you to categorize each piece of info with specific attributes

Question 90

What is a STIX relationship object?

Answer 90

Way to link data there are 2 relationship and sighting

Question 91

What is TAXII

Answer 91

A protocol to share threat intelligence data

Question 92

What is the diamond model usually used for?

Answer 92

Use threads to show how an attacker behaves during attack. Can be mapped to kill chain

Question 93

What is threat modeling ?

Answer 93

Proactive way they uncover threats and how they are doing it

Question 94

What is the open source testing methodology manual OSSTMM?

Answer 94

Provides a guide on performing a security test or audit

Question 95

What is the owasp testing guide?

Answer 95

Provides a guide to testing web applications

Question 96

5 steps part of risk assessment

Answer 96

Gather info about what assets are there, applications, and IT systems
Define and classify assets
Explore potential vulnerabilities
Explore potential threats
Create mitigation strategies

Question 97

What is passive scanning

Answer 97

Using sources such as OSINT, and traffic captures. No direct interaction with host

Question 98

What is active scanning

Answer 98

Provides more details like updates installed on machine
Port scanning is another example

Question 99

What is device fingerprinting

Answer 99

Uniquely identifies assets on device such as what OS they are running

Question 100

What is a map scan?

Answer 100

Wide scan that shows all assets on a network such as LAN

Question 101

Why is credentialed scanning better than non credentialed

Answer 101

Provides more detail non credential may not have all permissions

Question 102

Agent versus non agent vulnerability scanning ?

Answer 102

Credentialed by default, doesn’t use as much bandwidth, increased management over head

Agentless less overhead,can be credentialed or not, won’t always provide all information without configuration changes

Question 103

What is a cpe in vulnerability scanning?

Answer 103

Way to show info about os,hardware and software such as OS running

Question 104

What is the point of a CVSS score?

Answer 104

Metric for comparing and prioritizing vulnerabilities

Question 105

What is a true positive

Answer 105

Legit attack detected

Question 106

What is a false positive

Answer 106

Alert when there was no attack

Question 107

False negative

Answer 107

No alarm raised but attack happened

Question 108

True negative

Answer 108

No alert given when legit activity occured

Question 109

What are the CVE score levels

Answer 109

From 0 none
0.1-3.9 Low
4.0-6.9 medium
7-8.9 High
9-10 critical

Question 110

What is the attack vector metric in CVSS

Answer 110

Reflects context by which vulnerability is exploitable

Question 111

What are the 3 metrics in CVSS score

Answer 111

Base required
Temporal

Question 112

What are the 4 attack vectors?

Answer 112

Network, adjacent, local, and physical

Question 113

In CVSS score what is the attack complexity?

Answer 113

Measure conditions beyond attackers control there are two low and high

Question 114

In CVSS score what are privileges required

Answer 114

Describes privileges attacker must have none,low,and high

Question 115

In CVSS score what is user interaction

Answer 115

Metric measures if a other user is required to participate in successful compromise. None or required like phishing link

Question 116

What does dynamic ARP inspection do?

Answer 116

It checks a database such as the DHCP snooping database to prevent arp spoofing.

Question 117

What does DHCP snooping do?

Answer 117

Builds a database of Mac and DHCP leases. Which helps DAI against arp spoofing. Also prevents rogue DHCP servers and DHCP starvation attacks

Question 118

What is a kerberoasting attack?

Question 119

What is an XXE web attack and what is the typical field used?

Answer 119

An attack that allows one to interfere with an applications processing of xml data. Typically the external entities field is used which loads stuff from outside xml file

Question 120

What are the 4 types of XXE attacks?

Answer 120

Exploiting to retrieve files
Used to perform SSRF
Blind XXE to exfiltrate data out of bound
Blind XXE to retrieve data via error messages

Question 121

What is a local file inclusion web vulnerability?

Answer 121

Attacker tricks website into running or exposing files

Question 122

What is a remote file inclusion web vulnerability?

Answer 122

An attacker forces webserver to include code and run code form remote url.

Question 123

What is cross site scripting XSS?

Answer 123

Allows an attacker to manipulate web server to run malicious code for other users

Question 124

What is a reflected XSS attack?

Answer 124

Malicious script comes from HTTP request

Question 125

What is a stored XSS attack and what is one example?

Answer 125

When an app receives data from untrusted source and includes it in later http responses

An example is a comment on a web server page that will run malicious code

Question 126

What are DOM based cross site scripting

Answer 126

An app contains client side JavaScript that processes data from untrusted source in malicious way

Question 127

What is a cross site request forgery CSRF web attack?

Answer 127

An attacker exploits web app to make users do action they didn’t intend to do

Question 128

How do you prevent cross site request forgery attacks?

Answer 128

Use same site cookies
And or a unique CSRF token

Question 129

What is a server side request forgery?

Answer 129

Web app attacked to make vulnerable backend server run malicious code