General Knowledge Flashcards
What is GRC?
Governance, Risk Management, and Compliance
What tool should businesses use to track risks?
Risk Register
What role does Governance play in the approach to Cybersecurity?
Responsible for creating and maintaining organizational policies. Defines the organizations expectations of its employees and approach to cybersecurity.
What are SLO’s within cybersecurity and a Secure Operations Center
Serice Level Object which are the standards that organizations and their leadership must meet to ensure the security of their network.
What is MTTD and MTTR
Mean Time to Detect
Mean Time to Recover
What are the 4 Risk Responses
Avoid
Accept
Mitigate
Transfer
Briefly Describe Threat Modeling
Designed to identify the principal risks and tactics, Techniques and procedures (TPP) that a given system may be subject to by evaluating the system both from an attacker’s point of view and from the defender’s point of view.
Name some standard frameworks to help practitioners with controls
NIST 800-171 Protecting Controlled Unclassified Information in NonFederal Systems and Orgs
NIST 800-53 Security and Privacy Controls for Federal Systems
ISO27001 and CIS Top 18 ver 4
Name the 3 different classes of Control Types
Technical - Systems
Operational - People
Managerial - Oversight
Modern approach to security controls includes preventative but name the 4 additional ones.
Detective
Corrective
Compensating
Corrective
This control acts to eliminate or reduce the likelihood of an attack. ACL’s , File System object, AV, etc
Preventative
This control does not prevent but will identify and record any attempted our successful intrusion
Detective
This control acts to eliminate or reduce the impact of an intrusion attempt.
Corrective
This control serves as as substitute for a principal or control.
Compensating
Using a standard and afford better protection than existing control.
This control serves to direct corrective action.
Responsive
SOC response with well-defined procedures
The term for adopting a functional approach to security controls that maps to known adversary tools and tactics.
Course of Action Matrix (CoA)
Name two of the most popular hardening Guides
CIS Benchmarks - 1000 pages
Department of Defense Security Technical Guides (STIGs)
What is the attack surface analysis tools that uses MITRE ATT&CK Framework
Adversary Emulation - Red Team Engagement
Comparing Adversary vs Penetration Testing
Goal of the penetration test is to simulate an attack to identify the vulnerabilities and weakness. Prioritize based on findings.
Adversary emulation simulates a real-world cyber-attack by a red team to assess an organizations defense. Much more comprehensive than a pen test.
What is the attack surface analysis that offers rewards based on certain elements?
Bug Bounty
What is the difference between Threat Intelligence and Threat Hunting
They both encompass the strategies used to detect and protect against active threats.
Threat Intelligence describes gathering and analyzing data to help identify potential threats and determine most cost-effective way to mitigate them.
Threat Hunting is the active search for signs of malicious activity on a network. It uses tools and techniques to search for potential threats such as logs
Who published the Common Vulnerabilities and Exposures
MITRE.org
What is the common term for Command and Control
C&C or C2
Name a defining characteristic of an ATP
Adversary removes evidence of the attack.
What is OSINT
Open-Source Intelligence - using publicly available information such as web sites, blogs, chat forums, etc.
What are the two broad types of categories for Threat Intelligence
Strategic - High level of view of the threat landscape- trends, tactics, and techniques that threat actors use.
Operational - more granular about specific threats such as malware analysis and network forensics
What is an ISAC?
Information and Sharing Analytics Center - required by Government in 1990 to form private/public partnerships and industry associations to disseminate information sector-specific threat intelligence
What alliance do cybersecurity vendors openly share threat information with?
Cyber Threat Alliance (CTA)
What is CISA
US Cybersecurity and Infrastructure Security Agency
What are IoC’s and IoAs and describe
Indicators of a compromise
Indicators of an attack
Based on confidence levels provided by threat information
What is the attack data that describes TTP’s of current, active cyberattacks?
Crowdsourced attacks
What techniques plays a crucial role in identifying and analyzing IOC’s
Digital Forensics
What is the term of using offensive actions to outmaneuver an adversary to make an attack harder to execute?
Active Defense
Honeypots
Honeynets
Active Decoys
What are the key differences between Serverless platforms
hardware abstraction. Based on time not hours
What are the 3 “planes” of Software Defined Networking
Control Plane - traffic prioritization and where it should be switched
Data Plane - handles the actual switching and routing including any ACL’s
Management Plane - monitoring of traffic conditions and network status
What is a networking and security architecture that provides secure access to cloud applications and services while reducing complexity
SASE
Secure Access Service Edge
SASE plays a key role in Zero Trust Architecture
The act or cooperation between multiple systems or companies to enable access via trusted accounts is called ___________
a Federation
What is the standard method companies use to authenticate between systems such as Google and Amazon and what protocol is involved?
OpenID and Oauth 2.0
What is the XML-Based language used to Exchange authentication information between a client and service provider
Security Assertion Markup Language (SAML)
What is the XML-Based web services protocol that is used to exchange messages between
Simple Object Access Protocol (SOAP)
In relationship to Transitive Trust if resource A trusts resource B and Resource B trust Resource C then T or F Resource A trust Resource C
True
trust models avoid single point of failure
What is the Enterprise Management software designed to mediate access to cloud services by users across all types of devices?
Cloud Access Security Broker (CASB)
What are the 3 CASB implementations
Forward Proxy - Appliance at client network edge. Can be bypassed and perf concerns
Reverse Proxy - At cloud network edge and does require cloud application support of this proxy
API - built into the Cloud app itself
What is SOAR and what function does it serve
Security, Orchestration, Automation and Response
a class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment
What is a SIEM and how does SOAR work with this type of system
Security Incident and Event Management
SOARS can bolt onto a SIEM and trigger after an alert is generated
Describe relationship between Regulations and Standards
regulations describe legal requirements and ramifications; the details of compliance are oftentimes provided in prescriptive form within a standard.
OWASP is _________
Open Web Application Security Project - Internationa non-profit providing unbiased about app security
Publishes top 10
Publishes ModSecurity Tool
What is Static Analysis in regard to Vulnerability Scanning?
Manual inspection of source code to identify vulnerabilities and weaknesses.
True of False - Fingerprinting in Vulnerability Analysis is the same as Mapping
False - fingerprinting is at the device level while Mapping is looking at the network as a whole
What is Dynamic Analysis in Vulnerability
A more rigorous approach typically using vulnerability scanning software and even Pen Testing
What is Fuzzing?
Formerly Black Box Testing using specialty software tools to identify problems and issues with an application by purposely inputting or injecting malformed data to it.
What is Operations Technology (OT)
Systems that operate separate from Corp IT and typically are comprised of PLC’s and SCADA Networks.
What type of system provides mechanisms for workflow and process automation in Industries
Industrial Control Systems (ICSs)
plant devices and equipment with embedded PLC’s
What is SCADA
A supervisory control and data acquisition (SCADA) . A system that takes the place of a control server in a multi-site ICS.
What type of control language does PLC’s utilize
Special Sequential Control Language called Ladder Logic
What is the command to change File and Folder Permissions in Linux
CHMOD
Owner, Group, Other
4 = Read
2 = Write
1 = Excecute
CHMOD
What is the most common scan type for NMAP
SYN Scan
T or F UDP scans in NMAP is the most unreliable
True
What is the numerical score assigned to a computer vulnerability called?
CVSS
Who developed the Cyber Kill Chain
Lockheed Martin
A NIST Framework that outlines various accepted practices for automating vulnerability scanning.
Security Content Automated Protocol (SCAP)
An XML Schema, maintained by Mitre, for describing system security state and querying vulnerability reports and information
Open Vulnerability and Assessment Language (OVAL)
Part of SCAP
Scheme for identifying hardware devices, operating systems, and applications developed by Mitre
Common Platform Enumeration (CPE)
Standardized naming format used to identify systems and software
Scheme for identifying vulnerabilities developed my Mitre and adopted by NIST
Common Vulnerability and Exposure (CVE)
a list of records where each contains a unique identifier used to describe public known vulnerabilities
Scheme for provisioning secure configuration checks across multiple sources developed by Mitre and adopted by NIST
Common Configuration Enumeration (CCE)
similar to CVE except focused on configuration issues which may result in an vulnerability.
What are two key elements on how CVSS is scored
CVSS Score Calculation - formula based
CVSS Vector String - more context including identifiers, environmental and additional information
T or F CVSS is a measure of exploitablity
False
does not indicate where or not a vulnerability can be exploited.
When a Vulnerability Scan incorrectly indicates that a vulnerability or misconfiguration is present when it is not is called a
False Positive
When a vulnerability scan incorrectly identifies that a vulnerability does not exist
False negative
Most concerning since it points to issues with scanning engine or database
What are the 3 Categories of CVSS Scoring
Impact
Exploitability
Remediation
What are the Metrics of the CVSS Scoring
Scope—The number of systems and people affected by the vulnerability.
Confidentiality—The extent to which data is disclosed.
Integrity—The extent to which the system’s functionality is changed or impaired.
Availability—The extent to which a system is unavailable.
Privacy—The extent to which the system’s privacy is impacted.
Operations—The extent to which the system’s security is affected.
Other—Any other relevant or important factors.
What are the Payloads in a Wirehark Packet Capture that indicate which server OS
Windows - 32 bytes or string of letters in ASCII
Linux/Unix - 48 bytes or stings of letters and numbers in ASCII.
This term describes how many organizations’ networks no longer have a clearly defined “inside” and “outside” boundary.
Depermeterization
Data _______________ combines and analyzes data from disparate sources to gain a greater understanding of it
Enrichment
Physical (P), Local (L), Adjacent Network (A), or Network (N) are all values for which base metric
Attack Surface
When a vulnerability scan correctly identifies a vulnerability.
True Positive
For example, a true positive would be when a scan correctly identifies the presence of default credentials on network equipment.
A vulnerability scan that correctly indicates that a system or device does not have a vulnerability.
True Negative
What is the term for the type of control when systems do not support modern security features, or these features break business critical functions?
Compensating Controls
this control can provide protection when circumstances prevent the use of the primary security measure.
A legal document that outlines the terms and conditions of an agreement between two or more parties.
Memorandum of Understanding (MoU)
It might outline uptime, data access, response times and other performance characteristics that conflict with tasks identified in response to mitigating vulnerabilities.
Legally binding contract between two parties that defines the level of services to be provided?
Service Level Agreement
What is the system of rules, practices and processes an organization uses to control its operation and the strategic direction it pursues
Organizational Governance
can conflict with security measures.
Name the 3 CVSS Temporal Metrics Sub Components
Exploit Code
Maturation
Remediation Level
Report Confidence
What are the Rating Levels of CVSS and their corresponding Score Ranges
Rating CVSS Score
Critical 9.0 - 10.0
High 7.0 - 8.9
Medium 4.0 - 6.9
Low 0.1 - 3.9
None 0.0
What site holds the CVSS for a CVE Record
nvd.nist.gov
Which option in NMAP disables Port Scanning
-sn
Uses a ping sweep which is not an ideal option since many systems will not reply. Port scans would necessary
By Default scans how many ports
Top 1000
use -p option to select more ports such as -p 10000-16000