GENERAL CYSA TEST

Question 1

What is a Technical or Logical Control?

Answer 1

Type of Security Control- In a system e.g by hardware, software, firmware

Question 2

What is an Operational Control?

Answer 2

Type of Security Control- Implimented by people

Question 3

What is Managerial Controls?

Answer 3

Security Control Provides oversight of a information system

Question 4

What is a preventative control?

Answer 4

Control that acts to elininmate or reduce likelihood that an attack can success

Question 5

What is a detective control?

Answer 5

Control that may not prevent or deter access but will identify and record an attempted intrusion

Question 6

What is a corrective control?

Answer 6

As Acts to elinate or reduce the impact of intrusion event

Question 7

What is Security Intelligence?

Answer 7

Collecting data from live systems and analyising it to show the security status of said system

Question 8

What is Cyber Threat intelligence?

Answer 8

Proactive approach to researching emerging threats and their sources to keep an up to date image of the wider threat landscape

Question 9

What is open source intelligence?

Answer 9

The process of obtaining information using public records, websites and social media

Question 10

What is EPP and what does it do?

Answer 10

Endpoint Protection Platform- Swiss army knife of protection, can include AV, HIDS/HIPS/ Encryption DLP and lots more all under one tool (Mostly based on signature detection)

Question 11

What is EDR and what how does it differ from EPP?

Answer 11

Endpoint Detection & Response- Another prorgam that includes many different security tools inside it. Differs from EPP as it monitors and triggers on behaviours instead of signatures.

Question 12

What is UEBA and what does it do?

Answer 12

User Entity Behavior Analytics- System that provides automated identfification of suspicious activity by user accounts and hosts. As there is so much data that needs analyising, AI is often used.

Question 13

What is reverse engineering?

Answer 13

The process of analyzing the structure of hardware or software roto reveal more about how it functions.

Question 14

What can malware writers do to hide the identification of the payload and author of the malware to make it harder to detect?

Answer 14

They can obfuscate the code before it is assembled or compiled to prevent analysis.

Question 15

What is a disassembler?

Answer 15

A program that translates machine language (binary) into assembly language!

Question 16

What is a magic number?

Answer 16

Looking at a HEX file and the first two bytes of the binary header that indicates it file type. e.g E2 = PNG file

Question 17

What is assembly code?

Answer 17

Instructions that has been translated from hex codes.

Question 18

What do we use to get from HEX code to assembly code?

Answer 18

A decompiler

Question 19

What is high-level code?

Answer 19

Pesudo-code- something that is human readable.

Question 20

Why are we looking to return code into a human readable format?

Answer 20

So we can look for strings- We can then write rules of those strings and block them!

Question 21

What does the STRINGS tool do?

Answer 21

Dump all strings over three characters in ASCII or Unicode for analysis, no need for use of dissembler

Question 22

What is a program packer?

Answer 22

Method of compression which and executable is mostly compressed and that part that isnt only contains the code to decompress the executable

Question 23

What is shellcode?

Answer 23

Any lightweight code that is designed to run a exploit on a target

Question 24

What is code injection?

Answer 24

Exploit technique that runs malicious code with the identification number of a legitimate process- e.g process number for Chrome is 10, you run malicious code under the process code 10, this would allow it to run.

Question 25

What is living off the land?

Answer 25

When an attacker uses the tools already installed on the computer to continue the attack. e.g using powershell for malicious reasons.

Question 26

What free, open-source tool, provided by Microsoft can be used for behavior analysis?

Answer 26

Sysinternals by Microsoft

Question 27

What processes will always be running if you look in your process tab in windows explorer?

Answer 27

System Idle (PID 0) and System (PID 4)

Question 28

What manages low level windows functions and is fine if you see several running providing they are run from SystemRoot/System32 and have no parent?

Answer 28

Client Server Runtime Subsystem (csrss.exe)

Question 29

What manages drivers and services and should only have a single instances running as a process?

Answer 29

WININIT (Wininit.exe)

Question 30

What is the most popular process hackers use to masquerade malware?

Answer 30

Services.exe

Question 31

What does Services.exe do?

Answer 31

Hosts nonboot drivers and background services, the process should only have one instance and should be running as a child of WINIT.exe

Question 32

Without looking at the service and only by who started it, what could we identify?

Answer 32

If started by username- Potentially malicious, if by SYSTEM, LOCAL, SERVICE OR NETWORK SERVICE ACCOUNTS- NOT MALICIOUS

Question 33

Whatt is the Malware Attribute Enumberation and Characterization Scheme? (MAEC)

Answer 33

A standardized language for sharing structured information about malware that is complementary to STIX and TAXII to improve the automated sharing of threat intelligence!

Question 34

What is Yara?

Answer 34

Multi-platform program used for identifying, classifying and describing malware samples. Helps with creating rules

Question 35

What is blacklisting?

Answer 35

Unless your name IS on the list, you are allowed

Question 36

What is Whitelisting

Answer 36

Put everything you want to block on the list, allow everything else

Question 37

What is Execution Control?

Answer 37

he process of determine what additional software may be installed on a client or server beyond its baseline.

Question 38

What is MIME?

Answer 38

Multipurpose Internet Mail Extensions- Allows a body of an email to support differnt formats, such as HTML, Rich Text format, and binary data, that can be encoded as base64 ASCII Characters and attachments.

Question 39

Multipurpose Internet Mail Extensions- Allows a body of an email to support differnt formats, such as HTML, Rich Text format, and binary data, that can be encoded as base64 ASCII Characters and attachments.

Answer 39

Using authentication!

Question 40

What is SPF?

Answer 40

Sender Policy Framework-
DSN record identifiying hosts authorized to send mail for the domain with only one being allowed per domain-

Question 41

What is DKIM?

Answer 41

DomainKey Identified Mail
Provides a cryptographic authentication mechanism for mail utilizing a public key publishes as a DNS record- Works as when you send an email, your domain MTA is going to assign the email a hash value and send it with the public key, when recived, it can ,compare hashes and see if it matches, knowing it has not been modified in transit.
This is done by the servers, not by the users!

Question 42

What is the framework that uses SPF and DKIM and utilizes a policy publishes as a DNS record?

Answer 42

DMARC

Question 43

On a SMTP log what does a status code 220 mean?8 important

Answer 43

Indicates server is ready!

Question 44

On a SMTP log what does a status code 250 important

Answer 44

Message has been accepted

Question 45

On a SMTP log what does a status code 421?

Answer 45

Service is not available

Question 46

On a SMTP log what does a status code 450

Answer 46

Server cannot access mailbox, maybe the mailbox doesnt exsist?

Question 47

On a SMTP log what does a status code 451

Answer 47

Local server aborted the action due to processing error

Question 48

On a SMTP log what does a status code 452

Answer 48

Your drive has filled up, there is no space to send this message!

Question 49

What is S/MIME?

Answer 49

Same a MIME but adds digital signatures and public key cryptography

Question 50

What are three examples of SIEMS?

Answer 50

SPLUNK, ELK STACK, Alien vault

Question 51

What loses value over time?

Answer 51

Intelligence!

Question 52

What is a false negative?

Answer 52

Not alerting when you shouldve

Question 53

What is False Positive?

Answer 53

Alerting things when you dont need to

Question 54

What is a use case?

Answer 54

A specific condition that should be reposted, such as a suspicious log-on or process executing from a temporary directory.

Question 55

Whatre the two places where we can get data from?

Answer 55

User Agent- Endpoints, HIDS.HIPS etc && Listener/Collector-Things that push updates to the SEIM over a protocol like syslog or SNMP && Sensors differnt sniffers and sensors - e.g SPANS and TAPS

Question 56

Once we have collected all the information from all the different sources, what do we need to do to be able to understand it?

Answer 56

Parsing and normalization is needed as all the information will come in in different formats and will not be readable without translation and review inside SIEM

Question 57

What could be a potential problem when collecting data from sources that span multiple countries?

Answer 57

When logging, different logs will be logged at their local timezone, when trying to create a timeline, it will be difficult to create a timeline if crossing timezones. Mitigatation is using UTC (Universal Time Zone)

Question 58

What is a syslog?

Answer 58

A protocol enabling different appliances and software applications to transmit logs or event records to a central server

Question 59

When doing Data Forensics, what do we collect first and what is next?

Answer 59

Order of volitilalty, make sure you collect data from things that may be changed soon
CPU registers and Cahe memory - Contents of system memory (RAM) e.g routing tables, temp swap files, ARP Cache, process tables- Data on persistent mass storage e.g Hard drive, SDD, Flash drive- Remote logging and monitoring data( SIEMS) and lastly- Physical config and network topology

Question 60

Whatre the three tools we use in forensics?

Answer 60

Encase, The Forensic Toolkit (FTK), The Sleuth Kit

Question 61

In digital Forensics, what is Live Acquisition

Answer 61

Capturing the contents of memory while the computer is running

Question 62

In digital Forensics, if the device you are investigating has a highliklihood of crashing, what method of collection can you use?

Answer 62

Crashdump- Wont be full copy

Question 63

What is a Hibernation File?

Answer 63

A file that is written to the disk when the workstation is put into a sleep state

Question 64

What is a pagefile?

Answer 64

A file that stores pages of memory in use that exceed the capacity of the hosts physical RAM modules- Page files get written to the hard drive.

Question 65

What happens to data that is written to RAM when you power off the system?

Answer 65

You lose it!

Question 66

Why would you use a write blocker?

Answer 66

To stop someone being able to remove your hard drive and be able to write to it!

Question 67

What hashing algorithm uses 128-bit digest and is susceptible to collisions?

Answer 67

MD-5

Question 68

What is the name of the moderen hashing algorithm?

Answer 68

SHA (Secure hashing algorithm)

Question 69

What type of hashing uses 160 bit hash digest?

Answer 69

SHA-1

Question 70

What type of hashing uses 256 or 512-bit hash digest and is the current version of hash used in modern forensics?

Answer 70

SHA-2

Question 71

What type of firewall should you use if you are using a web server?

Answer 71

Web Application Firewall

Question 72

What is a proxy server?

Answer 72

A server that acts as a gateway between you and the internet

Question 73

What is a Forward Proxy?

Answer 73

A proxy that acts on behalf of a user- You connect to the proxy and the proxy connects to the website of your chosing

Question 74

What is a reverse Proxy?

Answer 74

A type of server that protects your internal servers from the outside user- Outside user makes request to Proxy and Proxy makes request to internal server

Question 75

Why is a reverse proxy a good way of collecting information?

Answer 75

You can log the data and analyse it.

Question 76

What is an Access Control List?

Answer 76

Used inside Firewalls- A list of permitted and denied connections based on IP address, Ports or Applications in use

Question 77

What is systernals used for?

Answer 77

To identify the baseline and see what is “normal” see what process are running