General Knowledge Flashcards

1
Q

What is GRC?

A

Governance, Risk Management, and Compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What tool should businesses use to track risks?

A

Risk Register

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What role does Governance play in the approach to Cybersecurity?

A

Responsible for creating and maintaining organizational policies. Defines the organizations expectations of its employees and approach to cybersecurity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are SLO’s within cybersecurity and a Secure Operations Center

A

Serice Level Object which are the standards that organizations and their leadership must meet to ensure the security of their network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is MTTD and MTTR

A

Mean Time to Detect
Mean Time to Recover

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the 4 Risk Responses

A

Avoid
Accept
Mitigate
Transfer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Briefly Describe Threat Modeling

A

Designed to identify the principal risks and tactics, Techniques and procedures (TPP) that a given system may be subject to by evaluating the system both from an attacker’s point of view and from the defender’s point of view.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Name some standard frameworks to help practitioners with controls

A

NIST 800-171 Protecting Controlled Unclassified Information in NonFederal Systems and Orgs

NIST 800-53 Security and Privacy Controls for Federal Systems

ISO27001 and CIS Top 18 ver 4

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Name the 3 different classes of Control Types

A

Technical - Systems
Operational - People
Managerial - Oversight

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Modern approach to security controls includes preventative but name the 4 additional ones.

A

Detective
Corrective
Compensating
Corrective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

This control acts to eliminate or reduce the likelihood of an attack. ACL’s , File System object, AV, etc

A

Preventative

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

This control does not prevent but will identify and record any attempted our successful intrusion

A

Detective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

This control acts to eliminate or reduce the impact of an intrusion attempt.

A

Corrective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

This control serves as as substitute for a principal or control.

A

Compensating
Using a standard and afford better protection than existing control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

This control serves to direct corrective action.

A

Responsive
SOC response with well-defined procedures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The term for adopting a functional approach to security controls that maps to known adversary tools and tactics.

A

Course of Action Matrix (CoA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Name two of the most popular hardening Guides

A

CIS Benchmarks - 1000 pages

Department of Defense Security Technical Guides (STIGs)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the attack surface analysis tools that uses MITRE ATT&CK Framework

A

Adversary Emulation - Red Team Engagement

Comparing Adversary vs Penetration Testing

Goal of the penetration test is to simulate an attack to identify the vulnerabilities and weakness. Prioritize based on findings.

Adversary emulation simulates a real-world cyber-attack by a red team to assess an organizations defense. Much more comprehensive than a pen test.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the attack surface analysis that offers rewards based on certain elements?

A

Bug Bounty

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the difference between Threat Intelligence and Threat Hunting

A

They both encompass the strategies used to detect and protect against active threats.

Threat Intelligence describes gathering and analyzing data to help identify potential threats and determine most cost-effective way to mitigate them.

Threat Hunting is the active search for signs of malicious activity on a network. It uses tools and techniques to search for potential threats such as logs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Who published the Common Vulnerabilities and Exposures

A

MITRE.org

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is the common term for Command and Control

A

C&C or C2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Name a defining characteristic of an ATP

A

Adversary removes evidence of the attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is OSINT

A

Open-Source Intelligence - using publicly available information such as web sites, blogs, chat forums, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What are the two broad types of categories for Threat Intelligence

A

Strategic - High level of view of the threat landscape- trends, tactics, and techniques that threat actors use.

Operational - more granular about specific threats such as malware analysis and network forensics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is an ISAC?

A

Information and Sharing Analytics Center - required by Government in 1990 to form private/public partnerships and industry associations to disseminate information sector-specific threat intelligence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What alliance do cybersecurity vendors openly share threat information with?

A

Cyber Threat Alliance (CTA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is CISA

A

US Cybersecurity and Infrastructure Security Agency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What are IoC’s and IoAs and describe

A

Indicators of a compromise
Indicators of an attack

Based on confidence levels provided by threat information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What is the attack data that describes TTP’s of current, active cyberattacks?

A

Crowdsourced attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What techniques plays a crucial role in identifying and analyzing IOC’s

A

Digital Forensics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What is the term of using offensive actions to outmaneuver an adversary to make an attack harder to execute?

A

Active Defense

Honeypots
Honeynets
Active Decoys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What are the key differences between Serverless platforms

A

hardware abstraction. Based on time not hours

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What are the 3 “planes” of Software Defined Networking

A

Control Plane - traffic prioritization and where it should be switched

Data Plane - handles the actual switching and routing including any ACL’s

Management Plane - monitoring of traffic conditions and network status

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What is a networking and security architecture that provides secure access to cloud applications and services while reducing complexity

A

SASE
Secure Access Service Edge

SASE plays a key role in Zero Trust Architecture

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

The act or cooperation between multiple systems or companies to enable access via trusted accounts is called ___________

A

a Federation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What is the standard method companies use to authenticate between systems such as Google and Amazon and what protocol is involved?

A

OpenID and Oauth 2.0

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What is the XML-Based language used to Exchange authentication information between a client and service provider

A

Security Assertion Markup Language (SAML)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What is the XML-Based web services protocol that is used to exchange messages between

A

Simple Object Access Protocol (SOAP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

In relationship to Transitive Trust if resource A trusts resource B and Resource B trust Resource C then T or F Resource A trust Resource C

A

True
trust models avoid single point of failure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

What is the Enterprise Management software designed to mediate access to cloud services by users across all types of devices?

A

Cloud Access Security Broker (CASB)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

What are the 3 CASB implementations

A

Forward Proxy - Appliance at client network edge. Can be bypassed and perf concerns

Reverse Proxy - At cloud network edge and does require cloud application support of this proxy

API - built into the Cloud app itself

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

What is SOAR and what function does it serve

A

Security, Orchestration, Automation and Response

a class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

What is a SIEM and how does SOAR work with this type of system

A

Security Incident and Event Management

SOARS can bolt onto a SIEM and trigger after an alert is generated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Describe relationship between Regulations and Standards

A

regulations describe legal requirements and ramifications; the details of compliance are oftentimes provided in prescriptive form within a standard.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

OWASP is _________

A

Open Web Application Security Project - Internationa non-profit providing unbiased about app security

Publishes top 10
Publishes ModSecurity Tool

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

What is Static Analysis in regard to Vulnerability Scanning?

A

Manual inspection of source code to identify vulnerabilities and weaknesses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

True of False - Fingerprinting in Vulnerability Analysis is the same as Mapping

A

False - fingerprinting is at the device level while Mapping is looking at the network as a whole

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

What is Dynamic Analysis in Vulnerability

A

A more rigorous approach typically using vulnerability scanning software and even Pen Testing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

What is Fuzzing?

A

Formerly Black Box Testing using specialty software tools to identify problems and issues with an application by purposely inputting or injecting malformed data to it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

What is Operations Technology (OT)

A

Systems that operate separate from Corp IT and typically are comprised of PLC’s and SCADA Networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

What type of system provides mechanisms for workflow and process automation in Industries

A

Industrial Control Systems (ICSs)

plant devices and equipment with embedded PLC’s

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

What is SCADA

A

A supervisory control and data acquisition (SCADA) . A system that takes the place of a control server in a multi-site ICS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

What type of control language does PLC’s utilize

A

Special Sequential Control Language called Ladder Logic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

What is the command to change File and Folder Permissions in Linux

A

CHMOD

Owner, Group, Other
4 = Read
2 = Write
1 = Excecute

CHMOD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

What is the most common scan type for NMAP

A

SYN Scan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

T or F UDP scans in NMAP is the most unreliable

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

What is the numerical score assigned to a computer vulnerability called?

A

CVSS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

Who developed the Cyber Kill Chain

A

Lockheed Martin

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

A NIST Framework that outlines various accepted practices for automating vulnerability scanning.

A

Security Content Automated Protocol (SCAP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

An XML Schema, maintained by Mitre, for describing system security state and querying vulnerability reports and information

A

Open Vulnerability and Assessment Language (OVAL)

Part of SCAP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

Scheme for identifying hardware devices, operating systems, and applications developed by Mitre

A

Common Platform Enumeration (CPE)

Standardized naming format used to identify systems and software

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

Scheme for identifying vulnerabilities developed my Mitre and adopted by NIST

A

Common Vulnerability and Exposure (CVE)

a list of records where each contains a unique identifier used to describe public known vulnerabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Scheme for provisioning secure configuration checks across multiple sources developed by Mitre and adopted by NIST

A

Common Configuration Enumeration (CCE)

similar to CVE except focused on configuration issues which may result in an vulnerability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

What are two key elements on how CVSS is scored

A

CVSS Score Calculation - formula based

CVSS Vector String - more context including identifiers, environmental and additional information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

T or F CVSS is a measure of exploitablity

A

False

does not indicate where or not a vulnerability can be exploited.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

When a Vulnerability Scan incorrectly indicates that a vulnerability or misconfiguration is present when it is not is called a

A

False Positive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

When a vulnerability scan incorrectly identifies that a vulnerability does not exist

A

False negative
Most concerning since it points to issues with scanning engine or database

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

What are the 3 Categories of CVSS Scoring

A

Impact
Exploitability
Remediation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

What are the Metrics of the CVSS Scoring

A

Scope—The number of systems and people affected by the vulnerability.

Confidentiality—The extent to which data is disclosed.

Integrity—The extent to which the system’s functionality is changed or impaired.

Availability—The extent to which a system is unavailable.

Privacy—The extent to which the system’s privacy is impacted.

Operations—The extent to which the system’s security is affected.

Other—Any other relevant or important factors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

What are the Payloads in a Wirehark Packet Capture that indicate which server OS

A

Windows - 32 bytes or string of letters in ASCII

Linux/Unix - 48 bytes or stings of letters and numbers in ASCII.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

This term describes how many organizations’ networks no longer have a clearly defined “inside” and “outside” boundary.

A

Depermeterization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

Data _______________ combines and analyzes data from disparate sources to gain a greater understanding of it

A

Enrichment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

Physical (P), Local (L), Adjacent Network (A), or Network (N) are all values for which base metric

A

Attack Surface

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

When a vulnerability scan correctly identifies a vulnerability.

A

True Positive

For example, a true positive would be when a scan correctly identifies the presence of default credentials on network equipment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

A vulnerability scan that correctly indicates that a system or device does not have a vulnerability.

A

True Negative

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

What is the term for the type of control when systems do not support modern security features, or these features break business critical functions?

A

Compensating Controls

this control can provide protection when circumstances prevent the use of the primary security measure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

A legal document that outlines the terms and conditions of an agreement between two or more parties.

A

Memorandum of Understanding (MoU)

It might outline uptime, data access, response times and other performance characteristics that conflict with tasks identified in response to mitigating vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

Legally binding contract between two parties that defines the level of services to be provided?

A

Service Level Agreement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

What is the system of rules, practices and processes an organization uses to control its operation and the strategic direction it pursues

A

Organizational Governance

can conflict with security measures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

Name the 3 CVSS Temporal Metrics Sub Components

A

Exploit Code
Maturation
Remediation Level
Report Confidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

What are the Rating Levels of CVSS and their corresponding Score Ranges

A

Rating CVSS Score
Critical 9.0 - 10.0
High 7.0 - 8.9
Medium 4.0 - 6.9
Low 0.1 - 3.9
None 0.0

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

What site holds the CVSS for a CVE Record

A

nvd.nist.gov

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

Which option in NMAP disables Port Scanning

A

-sn

Uses a ping sweep which is not an ideal option since many systems will not reply. Port scans would necessary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

By Default scans how many ports

A

Top 1000

use -p option to select more ports such as -p 10000-16000

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

What does the -sV option enable during a NMAP Scan

A

Known as the version scan but is also a banner grabbing, server identification, and enumeration.

87
Q

List the DoD STIGs vulnerability categories.

A

Category I—Any vulnerabilities that will immediately cause a breach of confidentiality, availability, or integrity. These exposures can grant unapproved access to confidential information, causing a disruption of service. These threats are the most dangerous and may result in death, damage to facilities, or a failure of a mission.

Category II—Any vulnerabilities resulting in loss of confidentiality, availability, or integrity and can lead to a Category I vulnerability, injury, damage to equipment, or degrade a mission.

Category III—Any vulnerabilities that degrade controls implemented to protect against the loss of confidentiality, availability, or integrity and can lead to a Category II vulnerability, delay recovering from an outage, or negatively affect the accuracy of data.

88
Q

_______ are the actions and guidelines for dealing with security events.

A

Incident Response Plans

89
Q

What are the NIST 800-61r2 stages of incident response life cycle

A
  1. Preparation - hardening, policies and procedures
  2. Detection and Analysis - triage
  3. Containment - limit impact
  4. Eradication and Recovery - multiple phases
  5. Post-Incident Activity - Analyze and update procedures and policies
90
Q

Name some of the typical components of an IRP

A

Incident Response Policies - statements of the organizations expectations and procedures

Incident Response Procedures - Ransomware, Data Exfiltration, Social Engineering Playbook

Incident Tools and Resources - SIEM, IDS, Vuln Scanners, Netflow, Monitoring, FW and Gateways

Identification of Potential Threats and Incident. - Threat modeling, risk Analisys and other threat identification

Assessment of Potential Impacts - using risk analysis and impact assessment to measure the scope of identified incidents.

Creation of Response Plans - detailed, concise and direct

91
Q

What Technical Controls or Tools form the foundation of Incident Detection Capabilities

A

SIEM and IDS

92
Q

T or F Incident Response Playbooks should be digitally stored as a best practice

A

Fales - they should be actual playbooks and not accessible digitally to keep malicious intent from getting this

93
Q

Following an incident during Post Review what is the name of the report that should be compiled.

A

Lessons Learned Report (LLR) or After-Action Report (AAR)

The conclusion of the lessons learned is to continue to update the Incident Response Plan

94
Q

T or F identifying IoC’s is the first step in incident response

A

True
this is a reactive process and the earlier the detection the better

95
Q

Defacto method for sharing and matching threat intelligence against network traffice

A

Suricata Rules

passive and used within IDS

96
Q

Data Acquisition as it related to evidence prioritizes collection based on the following

A

Evidence capture prioritizes collection activities based on order of volatility.

CPU Registers and Cache Memory
Contents of System RAM
Data on HDD
Remove Logging
Physical config data
Archive Data

97
Q

Describe the requierments of the Legal Process

A

Evidence Preservation - labeled, tagged and bagged.

Ensure Chain of Custody is recorded for each piece of evidence

Apply Legal Holds when applicable. Preserving the data and ensuring no changes are made

e-Discovery to be applied of identifying, collecting and providing the information by a legal hold

98
Q

What are the two classification Frameworks for an Impact Analysis (Triage)

A

Impact Based

Taxonomy Based - defines incident categories by types such as worm outbreaks. Phishing attempts. DDoS… Includes Sub Categories such as attack vectors, threat type, etc.

99
Q

The process of assessing what costs are associated with an incident such as a data breach is ________

A

Impact Analysis

100
Q

Describe the key difference between recovery and remediation.

A

Remediation describes the corrective actions to address a problem permanently vs recovery that would fix the issue but not get to the root cause.

101
Q

Name the Forensic Tools and their functions

A

Fdisk - List Partitions

testdisk - detailed partitions and hidden

fiwalk - analyze drive image

Fsstat - more information on partitions - especially hidden partitions

fls to pull info from hidden partitions

istat - to pull inode information from hidden partitions

102
Q

Incident Response Report (IRR) should have ________ words also know as the 5?

A

Interrogative Words
Who, What, When, Where and Why

Must have a timeline to support the 5W’s

103
Q

What is the process called that gets to a foundational understanding of the event

A

Root Cause Analyss (RCA)

104
Q

What is the site that I can go to for Digitial Forensics Tools Testing

A

dftt_sourceforge.net

105
Q

What is the name of the command in Kali that hashes the file and adds that hash to the expected file

A

md5sum

106
Q

What is the name of the Kali utility forensic tools set

A

Autopsy Forensics Browser

106
Q

Name of Microsoft site and utiliteis to manage and diagnose troubleshoot a windows environment

A

SysInternals

106
Q

T or F a playbook is designed to automate some the routine tasks ordinarily performed by security personnel in response to a security incident

A

False

106
Q

What is the name of the command that extracts and displays viewable characters stored within a Binary

A

Strings Command

106
Q

Wireshark can filter the output using the same expression syntax as _________. Which is a command line packet capture utility for Linux

A

tcpdump for Linuz
windump for Windows

tcdump -i eth (where eth represents the inerfact to listen on

tcpdump -i eth0 -w capture.pcap

This tool is invaluable for scripting scenarios.

Note - PCAP file format has limitations and has been replaced with PCAPNG by default

106
Q

When a playbook utilizes a high degree of Automation from a SOAR systems then it can be referred to as a Runbook - T or F

A

True

107
Q

What is the free service designed to inspect files and URLs using over 70 antimalware scanners and domain blocklisting services

A

VirusTotal

108
Q

What are two common Cloud Based Sandbox

A

Joe Sandbox
CrowdStrike’s Hybrid Analysis

109
Q

2 of the big 3 threat frameworks are Mitre Attack and Lockheed Martin Kill chain. what is the 3rd one called

A

Diamond Model Framework

good for teaching and less technical than MITRE

used to develop automated threat intelligence analysis engines which are often integrated with various SIEM Platforms

110
Q

Developed by the Institute for Security and Open Methodologies (ISECOM) this manual outlines every area an organization needs testing with detailed is called __________

A

Open-Source Security Testing Methodology (OSSTMM)

Operational, physical and Wireless security testing

111
Q

Describe in technical terms the anatomy of SMTP

A

Mail User Agent (MUA) creates an initial header during email creation. Sent to Message Delivery Agent (MDA) which validates and if not locally sent appends its own header and then transmits message to Message Transfer Agent (MTA). MTA via DNS routes to the recipients MTA. Each MTA it passes through it gets another header.

112
Q

Which email security framework uses DNS Text records that identifies the hosts authorized to send email for that domain?

A

Sender Policy Framework (SPF)

113
Q

What email security provides a cryptographic authentication method for DNS records and supplements the other framework?

A

DomainKeys Identified Mail (DKIM)

Uses a public key uploaded as a text record in DNS Server. when outgoing email is processed the domain MTA calculates a hash value on selected message and signs it using its private key. Hash value is added to the message as a DKIM Signature .

114
Q

How does DMARC (Domain-Based Messaging Authentication, Reporting and Conformance apply to email security

A

DMARC Framework ensures that SPF and DKIM are being utilized effectively.

DMARC policy is published as a DNS Record and specifies an alignment method using one or both SPF and DKIM.

115
Q

What is another name for Doppelganger Domains

A

Cousin Domains

116
Q

What is the type of system utility that makes the victim system connect back to the attackers’ machines to establish shell access

A

Reverse Shells

netcat Listener
Bash Shells
Python

These would not be considered normal activity and should be heavily scrutinized.

117
Q

This security product offering scans indicators from multiple intrusion detection and log sources to identify anomalies and are often integrated in SIEM Platforms

A

User and Entity Behavior Analytics (UEBA).

Tracks user account behavior across different devices and cloud services.

118
Q

A ________ _________ attack allows a small DNS request with a spoofed source IP to generate a very large response.

A

DNS Reflection

reflection or amplification attack uses spoofing

119
Q

What type of devices does Worm Activity typically saturate

A

Switches and Routers

120
Q

What is the command that Network Time Protocol can be used to abuse that generates vast amounts of traffic

A

MonList

121
Q

T or F Beaconing is always associated with an intrusion?

A

False.
Beaconing is a legitimate process where nodes such as AP’s advertise their presence. But it can also be associated with Remote Access Trojans communicating with C&C.

122
Q

What is the name of the technique used by C&C to avoid being pinned down

A

Domain Name Generation Algorithm (DGA)

and
Fast Flux DNS

123
Q

What are the common Channels that C&C communicate over

A

Internet Relay Chat (IRC)
HTTP/HTTPS
DNS - common since it does not require internet and DNS Server can forward requests.

Social Media Website
Media and Doc files - using their metadata which is no inspected typically.

124
Q

What tool from Sysinternals is the reliable method that hackers will use to move laterally through your network

A

PsExec

Uses a simple pattern
1. Establish a SMB connection to target system
2. Pushes a copy of a receiver process PSEXESVC.exe to target systems ADMIN$ share
3. Launces PSEXESVC.exe which sends an output to a named pipeline

125
Q

What is the name of the attack when an attacker redirects an IP Address to a MAC Address not associated with its proper destination

A

ARP Spoofing or ARP Poisoning

126
Q

Malware can use any port to communicate but what is the term when it initiates over a standard port then communicates over a different port

A

Mismatched Port/Application Traffic

127
Q

Describe Shell and Reverse Shell

A

Shell - opening up a command windows on a remote host

Reverse Shell - opens a listening port on remote host and cause the infected host to connect to it

128
Q

Which open source tool native to Linux that is used by hackers to perform a Reverse Shell

A

Netcat

produced by Nmap

129
Q

What are the Linux commands that output a summary of memory and processes

A

Free and Top

htop utility is similar with mouse support and more easily readable output

130
Q

what is the Linux command that can aid in analyzing the file sysem

A

lsof - retrieves a list of all files currently open.

df and du

131
Q

What are the Windows Scheduled Task Event ID for Creation and Modification and Event ID for enabling or disabling scheduled tasks

A

4698 - New or modified

4700- enabled or disabled

132
Q

What are the core Process in Windows

A

Windows Kernel (systems.exe)

Session Manager Subsystem (smss.exe)

Client Server Runtime Subsystem (csrss.exe)

Windows Initialization Process (wininit.exe)

Service Control Manager
(services.exe)

Local Security Authority Subsystem Services (Isass.exe)

133
Q

What is the practice of exploiting flaws in an OS or other App to gain a greater level of access than was intended for the user of the application

A

Privilege Escalation

134
Q

What are the common types of NMAP Scanning and their flags

A

TCP SYN (-sS)
TCP Connect (-sT)
TCP Flags (-sN, -sF, -sX)
UPD Scan (-sU)
Port Range (-p)

135
Q

NMAP can also be used for Fingerprinting on hosts?

A

True

Using -sV or -A NMAP can get
Protocol
App Name and Version
OS Type and Version
Host Name
Device Type

136
Q

Which free tool can be used for quickly scanning a network to identify connected devices and services

A

Angry IP Scanner

137
Q

What is the name of the sophisticated visualization tool that helps investigators quickly identify relationships among entity types

A

Maltego

138
Q

_________ is a very powerful collection of tools designed to exploit vulnerabilities in a wide range of systems and software

A

Metasploit Framework

139
Q

_________ has a syntax and use that parallels Metasploit but focused on performing web based reconnaissance.

A

Recon-ng

best for reconnaissance in the information gathering phase of exploitation.

140
Q

What is the open-source security platform built on OSSEC providing a range of features for monitoring threat detection and compliance management

A

Wazuh

Can be integrated with Elastic Stack and is highly scaleable

141
Q

Name of the password guessing/stuffing attack in Linux

A

Hydra

142
Q

Wazuh Level scales are

A

Info - 0-3
Low - 4-7
Medium - 8-11
High - 12-15
Emergency 16

143
Q

What is the type of attack that requires a theft of a token from a valid client which is then used from a different system to fool the authentication services

A

Pass the Hash

144
Q

What is the primary reason to avoid the use of MD5

A

Propensity for collisions

145
Q

What European Org was setup in 90’s for Computer Antivirus Research

A

EICAR
European Institute for Computer Antivirus Research

146
Q

What is the project of NIST for software library called

A

National Software Reference Library.

147
Q

What is the very popular tool for analyzing and exploiting web applications and what category is it.

A

Burp Suite
Intercepting Proxy

148
Q

Zed Attack Proxy (ZAP) is another similar tool to Burp Suite and what organization produced it.

A

OWASP

Open World Application Security Project

149
Q

Name a popular web app scanner that uses the command line.

A

Nikto

150
Q

Name some of the common Debuggers and Reverse Engineering Tools

A

Immunity Debugger - Open source and very popular

GNU Debugger - open source and focuses on programs wrriten in C, C++ and Fortran

151
Q

Name the poplular tools for App and Cloud Penetration Testing

A

ScoutSuite - open source and works with all 3 of the major public clouds

Prowler - same but only AWS

PACU - AWS only and would require permission for CSP’s acceptable use policy

152
Q

______ is a CLI web vulnerability scanner that can detect over 6700 potentially dangerous files and CGI Scripts

A

Nikto

153
Q

________ is a CLI Web vulnerability scanner that focuses on problematic web scripts

A

Wapiti

154
Q

Who owns SSL Labs and what does this service prform

A

Qualys
website/web and web browsing testing service

155
Q

What is a name of a excellent online web vulnerability scanner

A

PentTest Tools

156
Q

What tool can automatically perform reconnaissance and scanning of website using NMPA, Shodan, Whatweb, Nikto, Vulners, Hydra and more

A

Legion

157
Q

what service scans sites and provides in HTML format findings into different service categories such as Good, Warning, Danger

A

ScoutSuite

158
Q

Command Line Cloud Security Auditing Tool that generates a report summarizing the security posture of a company’s cloud architecture.

A

Prowler

159
Q

What is a common password cracking tool that performs dictionary attacks?

A

John the Ripper (JrT or John)

160
Q

T or F a Dictionary attack and Brute Force is a form of offline password cracking.

A

True

Uses stolen password hashes and does not interact with a live authentication system

161
Q

Name of the command line utility for cracking Wireless Networks

A

Aircrack

162
Q

What is the widely used tool for LInux Apps for debugging, inspecting runtime status, and modifying the programs execution flow.

A

GNU Debugger

163
Q

What is the open source, feature rich modular web application security testing framework

A

Arachni

164
Q

Windows Powershell uses what type of extension and what type of command syntax

A

.PS1

easily reconnizable by using cmdlets that use a Verb-Noun such as a Invoke-Command

Get-Content
Add-Content

165
Q

What is the command language that is part of Windows WMI and what is it used for

A

Windows Management Instrumentation Command-Line

Performing administrative tasks and well suited to scripting and automation

166
Q

What is the interpreted , high level, general purpose programming language used for a wide variety of purposes and what is its extension

A

read pointer position

Python

.py

print(‘The current pointer position is {0}.format(mouse.position))

167
Q

What is the object orientated, event driven programming language that enables website interaction.

A

JavaScript Object Notation (JSON)

as opposed to HMTL which simply display’s information.

Similar to XML

uses curly bracket syntax and allows for the use of arrays (lists)

{ “product info” :
{
“product name” : “adjustable race”, “product number” : “AR-5381”,

{

168
Q

What is the primary difference between HML and XML

A

HMTL displays data and XML transfer it

note the syntax

<Prodcuts> and /
</Prodcuts>

169
Q

What is the name of the web security flaw that enables an attacker to read various files on the web server when an application is running.

A

Directory or File Path Traversal

170
Q

What is the attack that takes advantage of a website’s weakness in allowing submitted code and commands to execute

A

Cross-site Scripting (XSS)

It also uses hex coding to obfuscate characters:
Common ones are:
%20 space
%2F /
%3c <

171
Q

Predecessor to Bourne Shell

A

BASH (Bourne-again shell)

an improved version of sh and very common.

Supports full programatic structure and looks like

Tux@ubuntu:~$ cat boolean_loop.sh
#/bin/bash
mynum=100

While :
Do
Echo “enter a number or CTRL-C to quit”
Read num1
If [ $num1 -gt $mynum]; then
echo “your number is smaller”
echo
Else
echo “We picked the same number!”
Echo
fi
done

172
Q

To redirect output data to other locations such as a file or program what are is the redirection characters

A

> for basic redirection
> for appending to existing

173
Q

What is the method of system development that incorporates security controls in every phase of the systems lifecycle

A

Secure Software Development Life Cycle (SSDLC)

174
Q

What is a comprehensive guide for testing the security of web applications

A

OWASP Testing Guide

provides a structured approach to web app security testing

  1. Info Gathering
    2, Config and Deployment management testing
    3, Identity management testing
  2. Input validate……
175
Q

This password attack describes when an attacker chooses predetermined passwords and tries them for multiple accounts

A

Password Spraying

a brute force attack which multiple user account are tested with a dictionary of common passwords

176
Q

This password attack describes the use of credentials stolen from one source and trying them agains multiple sources

A

Credential Stuffing

a brute force attack in which stolen user account names and passwords are tested against multiple websites

177
Q

A software vulnerability where the authentication mechanism allows an attacker to gain entry

A

Broken Authentication

eg. cleartext credentials, weak session tokens, or permit brute force login requests

178
Q

__________ is a software vulnerability where a program attempts to write more data to a temporary storage area in memory than it can hold. causing data to overflow into adjacent memory. What is a widely used vulnerability discovered called

A

Buffer Overflow

Heartbleed - OpenSSL Implementations of TLS. In vulnerable versions of OpenSSL an attacker can send a malformed heartbeat request that causes the server to leak up to 64 KB of memory data.

179
Q

What is the area of memory allocated by the application during execution to store a variable called _______. _______ _______ can overwrite those variables and possibly allow arbitrary code excecution

A

Heap

Heap Overflow -

180
Q

_______ type of software vulnerability that occurs when a program tries to store an integer value larger than the maximum value that the data type can hold. this causes the value to wrap around to a lower value or overflow into adjacent memory space.

A

Integer Overflow - can cause a buffer overflow

Fun Fact: Famous Integer Overflow occurred during NASA’s Mars Climate Orbiter in 1999 - force of thrusters exceeded max value and it went negative resulting incorrect trajectory.

181
Q

What is the name of the region of memory that hold temporary data created by a program during runtime. What is the vulnerability when a program tries to store more data in the _____

A

Stack
Stack Overflow

some programming language such as C and C++ contain built in function such as strcpy

182
Q

What is the technique that randomize where components in a running application are placed in memory to protect against buffer overflows

A

Address Space Layout Randomization (ASLR)

183
Q

Which exploit is more difficult versus Local File Inclusion or Remote File Inclusion

A

Remote File Inclusion is easier to perform but less likely to be exploitable.

184
Q

T or F HTTP is a stateless Protocol

A

True
It uses Cookies to preserve info on users

Nonpersistent Cookies or session cookies which are stored in memory and deleted when browsers are closed.

Persistent Cookies are stored in browser cache until deleted by user or expire on its own.

Local cookies if not encrypted can hold confidential information.

185
Q

What are the ways you can protect against Session Hijacking that exploit Cookies

A

Deliver a new cookie upon each connection.
Session tokens must use a non-predictable algorithm

186
Q

What is the attack that uses a malicious script on the Attackers site that can exploit a session started on another site in the same browser called

A

Cross-Site Request Forgery (XSRF)/(CSRF)

Prevention is difficult since requests tend to look similar to those made by a user of a web application performing normal actions.

Use of user-specific tokens in all form submissions to prevent this

187
Q

An attack that injects a database query into the input data directed at a server by accessing the client side of the application.

A

SQL Injection

most common method is to submit a single apostrophe and then look for errors.

common to use a true statement to illicit a response. This allows hacker to start to inject queries for malicious intent

188
Q

Which vulnerability can pose signficant risks to chat bots and language Model

A

Prompt Injection
exampe of MS Tay Chatbot and racial input caused a stir

189
Q

The vulnerability where a hacker using SQL Injection to reference an actual name of a system Object

A

Insecure Object Reference

190
Q

An application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory

A

Directory Traversal

191
Q

A malicious script hosted on the attacker’s site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site, circumventing the browser’s security model of trusted zones.

A

Cross-Site Scripting (XSS)

Reflected and Persistent

192
Q

A web application vulnerability that allows an attacker either to download a file from an arbitrary location on the host file system or to upload an executable or script file to open a backdoor.

A

File Inclusion

193
Q

Broken Access Controls is defined as when ______

A

User Controls are not seutp correctly and have access they should not

194
Q

An attack where an attacker takes advantage of the trust established between the server and the resources it can access, including itself.

A

Server-Side Request Forgery (SSRF)

reference Capital One Attack via AWS improper configured firewall

195
Q

_____ _____is an attack that involves deliberately manipulating or corrupting data used in machine learning (ML) models or artificial intelligence (AI) systems

A

Data Poisoning

196
Q

Discovering errors messages when attempting SQL Injection is known as ________

A

error-based SQLi

Note - most sql injection statements start with a single quote

197
Q

A method used by malware to evade block lists by dynamically generating domain names for C2 networks

A

Domain Generation Algorithm (DGA)

Fast Flux Network - continually changing the host IP address in domain records using DGA

if you get a high rate of NXDOMAIN errors while resolving the DNS it could be an indicator of a DGA

198
Q

Which MAC, Linux or Unix command is the same as Windows NSLooksup

A

Dig

Used for DNS Harvesting

199
Q

What is the condition that occurs when a firewall is under-resources and cannot log data fast enough and there some data is missed

A

Blinding Attack

200
Q

What is one method of stopping DDoS using routers

A

Blackholing which sends traffic to null interface

or
SinkHole - instead of dropping it sends to separate network for analysis

uses less resources than ACL.

CloudFlare and Akamaia

201
Q

Name the two types of Proxies

A

Non-Transparent -

Transparent - forced and not known to client

Reverse - protects server from client. Great source of logs

202
Q

Open Sources IDS _______

A

Zeek Monitoring Tool

203
Q

What tool for Security Analyst for Defenders

A

Security Onion

204
Q

What is the name of Malware that is designed to install or run other types of maloware embedded in a payload on an infected hosts

A

Dropper is at Stage 1

Downloader is stage 2

205
Q

Any lightweight code designed to run an exploit on an target

A

Shell Code

206
Q

What is the Windows Services that Hosts nonboot drivers and should only have one instance but is commonly used for Malware infections

A

Services.exe

child of Winnit.exe

207
Q

What is the multi-platform program that runs on Windows, Linux and Mac OS X for identifying, classifying and describing malware samples

A

Yara

208
Q
A