GENERAL CYSA TEST Flashcards
What is a Technical or Logical Control?
Type of Security Control- In a system e.g by hardware, software, firmware
What is an Operational Control?
Type of Security Control- Implimented by people
What is Managerial Controls?
Security Control Provides oversight of a information system
What is a preventative control?
Control that acts to elininmate or reduce likelihood that an attack can success
What is a detective control?
Control that may not prevent or deter access but will identify and record an attempted intrusion
What is a corrective control?
As Acts to elinate or reduce the impact of intrusion event
What is Security Intelligence?
Collecting data from live systems and analyising it to show the security status of said system
What is Cyber Threat intelligence?
Proactive approach to researching emerging threats and their sources to keep an up to date image of the wider threat landscape
What is open source intelligence?
The process of obtaining information using public records, websites and social media
What is EPP and what does it do?
Endpoint Protection Platform- Swiss army knife of protection, can include AV, HIDS/HIPS/ Encryption DLP and lots more all under one tool (Mostly based on signature detection)
What is EDR and what how does it differ from EPP?
Endpoint Detection & Response- Another prorgam that includes many different security tools inside it. Differs from EPP as it monitors and triggers on behaviours instead of signatures.
What is UEBA and what does it do?
User Entity Behavior Analytics- System that provides automated identfification of suspicious activity by user accounts and hosts. As there is so much data that needs analyising, AI is often used.
What is reverse engineering?
The process of analyzing the structure of hardware or software roto reveal more about how it functions.
What can malware writers do to hide the identification of the payload and author of the malware to make it harder to detect?
They can obfuscate the code before it is assembled or compiled to prevent analysis.
What is a disassembler?
A program that translates machine language (binary) into assembly language!
What is a magic number?
Looking at a HEX file and the first two bytes of the binary header that indicates it file type. e.g E2 = PNG file
What is assembly code?
Instructions that has been translated from hex codes.
What do we use to get from HEX code to assembly code?
A decompiler
What is high-level code?
Pesudo-code- something that is human readable.
Why are we looking to return code into a human readable format?
So we can look for strings- We can then write rules of those strings and block them!
What does the STRINGS tool do?
Dump all strings over three characters in ASCII or Unicode for analysis, no need for use of dissembler
What is a program packer?
Method of compression which and executable is mostly compressed and that part that isnt only contains the code to decompress the executable
What is shellcode?
Any lightweight code that is designed to run a exploit on a target
What is code injection?
Exploit technique that runs malicious code with the identification number of a legitimate process- e.g process number for Chrome is 10, you run malicious code under the process code 10, this would allow it to run.
What is living off the land?
When an attacker uses the tools already installed on the computer to continue the attack. e.g using powershell for malicious reasons.
What free, open-source tool, provided by Microsoft can be used for behavior analysis?
Sysinternals by Microsoft
What processes will always be running if you look in your process tab in windows explorer?
System Idle (PID 0) and System (PID 4)
What manages low level windows functions and is fine if you see several running providing they are run from SystemRoot/System32 and have no parent?
Client Server Runtime Subsystem (csrss.exe)
What manages drivers and services and should only have a single instances running as a process?
WININIT (Wininit.exe)
What is the most popular process hackers use to masquerade malware?
Services.exe
What does Services.exe do?
Hosts nonboot drivers and background services, the process should only have one instance and should be running as a child of WINIT.exe
Without looking at the service and only by who started it, what could we identify?
If started by username- Potentially malicious, if by SYSTEM, LOCAL, SERVICE OR NETWORK SERVICE ACCOUNTS- NOT MALICIOUS
Whatt is the Malware Attribute Enumberation and Characterization Scheme? (MAEC)
A standardized language for sharing structured information about malware that is complementary to STIX and TAXII to improve the automated sharing of threat intelligence!
What is Yara?
Multi-platform program used for identifying, classifying and describing malware samples. Helps with creating rules
What is blacklisting?
Unless your name IS on the list, you are allowed
What is Whitelisting
Put everything you want to block on the list, allow everything else
What is Execution Control?
he process of determine what additional software may be installed on a client or server beyond its baseline.
What is MIME?
Multipurpose Internet Mail Extensions- Allows a body of an email to support differnt formats, such as HTML, Rich Text format, and binary data, that can be encoded as base64 ASCII Characters and attachments.
Multipurpose Internet Mail Extensions- Allows a body of an email to support differnt formats, such as HTML, Rich Text format, and binary data, that can be encoded as base64 ASCII Characters and attachments.
Using authentication!
What is SPF?
Sender Policy Framework-
DSN record identifiying hosts authorized to send mail for the domain with only one being allowed per domain-
What is DKIM?
DomainKey Identified Mail
Provides a cryptographic authentication mechanism for mail utilizing a public key publishes as a DNS record- Works as when you send an email, your domain MTA is going to assign the email a hash value and send it with the public key, when recived, it can ,compare hashes and see if it matches, knowing it has not been modified in transit.
This is done by the servers, not by the users!
What is the framework that uses SPF and DKIM and utilizes a policy publishes as a DNS record?
DMARC
On a SMTP log what does a status code 220 mean?8 important
Indicates server is ready!
On a SMTP log what does a status code 250 important
Message has been accepted
On a SMTP log what does a status code 421?
Service is not available
On a SMTP log what does a status code 450
Server cannot access mailbox, maybe the mailbox doesnt exsist?
On a SMTP log what does a status code 451
Local server aborted the action due to processing error
On a SMTP log what does a status code 452
Your drive has filled up, there is no space to send this message!
What is S/MIME?
Same a MIME but adds digital signatures and public key cryptography
What are three examples of SIEMS?
SPLUNK, ELK STACK, Alien vault
What loses value over time?
Intelligence!
What is a false negative?
Not alerting when you shouldve
What is False Positive?
Alerting things when you dont need to
What is a use case?
A specific condition that should be reposted, such as a suspicious log-on or process executing from a temporary directory.
Whatre the two places where we can get data from?
User Agent- Endpoints, HIDS.HIPS etc && Listener/Collector-Things that push updates to the SEIM over a protocol like syslog or SNMP && Sensors differnt sniffers and sensors - e.g SPANS and TAPS
Once we have collected all the information from all the different sources, what do we need to do to be able to understand it?
Parsing and normalization is needed as all the information will come in in different formats and will not be readable without translation and review inside SIEM
What could be a potential problem when collecting data from sources that span multiple countries?
When logging, different logs will be logged at their local timezone, when trying to create a timeline, it will be difficult to create a timeline if crossing timezones. Mitigatation is using UTC (Universal Time Zone)
What is a syslog?
A protocol enabling different appliances and software applications to transmit logs or event records to a central server
When doing Data Forensics, what do we collect first and what is next?
Order of volitilalty, make sure you collect data from things that may be changed soon
CPU registers and Cahe memory - Contents of system memory (RAM) e.g routing tables, temp swap files, ARP Cache, process tables- Data on persistent mass storage e.g Hard drive, SDD, Flash drive- Remote logging and monitoring data( SIEMS) and lastly- Physical config and network topology
Whatre the three tools we use in forensics?
Encase, The Forensic Toolkit (FTK), The Sleuth Kit
In digital Forensics, what is Live Acquisition
Capturing the contents of memory while the computer is running
In digital Forensics, if the device you are investigating has a highliklihood of crashing, what method of collection can you use?
Crashdump- Wont be full copy
What is a Hibernation File?
A file that is written to the disk when the workstation is put into a sleep state
What is a pagefile?
A file that stores pages of memory in use that exceed the capacity of the hosts physical RAM modules- Page files get written to the hard drive.
What happens to data that is written to RAM when you power off the system?
You lose it!
Why would you use a write blocker?
To stop someone being able to remove your hard drive and be able to write to it!
What hashing algorithm uses 128-bit digest and is susceptible to collisions?
MD-5
What is the name of the moderen hashing algorithm?
SHA (Secure hashing algorithm)
What type of hashing uses 160 bit hash digest?
SHA-1
What type of hashing uses 256 or 512-bit hash digest and is the current version of hash used in modern forensics?
SHA-2
What type of firewall should you use if you are using a web server?
Web Application Firewall
What is a proxy server?
A server that acts as a gateway between you and the internet
What is a Forward Proxy?
A proxy that acts on behalf of a user- You connect to the proxy and the proxy connects to the website of your chosing
What is a reverse Proxy?
A type of server that protects your internal servers from the outside user- Outside user makes request to Proxy and Proxy makes request to internal server
Why is a reverse proxy a good way of collecting information?
You can log the data and analyse it.
What is an Access Control List?
Used inside Firewalls- A list of permitted and denied connections based on IP address, Ports or Applications in use
What is systernals used for?
To identify the baseline and see what is “normal” see what process are running
