General Knowledge

Question 1

What is GRC?

Answer 1

Governance, Risk Management, and Compliance

Question 2

What tool should businesses use to track risks?

Answer 2

Risk Register

Question 3

What role does Governance play in the approach to Cybersecurity?

Answer 3

Responsible for creating and maintaining organizational policies. Defines the organizations expectations of its employees and approach to cybersecurity.

Question 4

What are SLO’s within cybersecurity and a Secure Operations Center

Answer 4

Serice Level Object which are the standards that organizations and their leadership must meet to ensure the security of their network.

Question 5

What is MTTD and MTTR

Answer 5

Mean Time to Detect
Mean Time to Recover

Question 6

What are the 4 Risk Responses

Answer 6

Avoid
Accept
Mitigate
Transfer

Question 7

Briefly Describe Threat Modeling

Answer 7

Designed to identify the principal risks and tactics, Techniques and procedures (TPP) that a given system may be subject to by evaluating the system both from an attacker’s point of view and from the defender’s point of view.

Question 8

Name some standard frameworks to help practitioners with controls

Answer 8

NIST 800-171 Protecting Controlled Unclassified Information in NonFederal Systems and Orgs

NIST 800-53 Security and Privacy Controls for Federal Systems

ISO27001 and CIS Top 18 ver 4

Question 9

Name the 3 different classes of Control Types

Answer 9

Technical - Systems
Operational - People
Managerial - Oversight

Question 10

Modern approach to security controls includes preventative but name the 4 additional ones.

Answer 10

Detective
Corrective
Compensating
Corrective

Question 11

This control acts to eliminate or reduce the likelihood of an attack. ACL’s , File System object, AV, etc

Answer 11

Preventative

Question 12

This control does not prevent but will identify and record any attempted our successful intrusion

Answer 12

Detective

Question 13

This control acts to eliminate or reduce the impact of an intrusion attempt.

Answer 13

Corrective

Question 14

This control serves as as substitute for a principal or control.

Answer 14

Compensating
Using a standard and afford better protection than existing control.

Question 15

This control serves to direct corrective action.

Answer 15

Responsive
SOC response with well-defined procedures

Question 16

The term for adopting a functional approach to security controls that maps to known adversary tools and tactics.

Answer 16

Course of Action Matrix (CoA)

Question 17

Name two of the most popular hardening Guides

Answer 17

CIS Benchmarks - 1000 pages

Department of Defense Security Technical Guides (STIGs)

Question 18

What is the attack surface analysis tools that uses MITRE ATT&CK Framework

Answer 18

Adversary Emulation - Red Team Engagement

Comparing Adversary vs Penetration Testing

Goal of the penetration test is to simulate an attack to identify the vulnerabilities and weakness. Prioritize based on findings.

Adversary emulation simulates a real-world cyber-attack by a red team to assess an organizations defense. Much more comprehensive than a pen test.

Question 19

What is the attack surface analysis that offers rewards based on certain elements?

Answer 19

Bug Bounty

Question 20

What is the difference between Threat Intelligence and Threat Hunting

Answer 20

They both encompass the strategies used to detect and protect against active threats.

Threat Intelligence describes gathering and analyzing data to help identify potential threats and determine most cost-effective way to mitigate them.

Threat Hunting is the active search for signs of malicious activity on a network. It uses tools and techniques to search for potential threats such as logs

Question 21

Who published the Common Vulnerabilities and Exposures

Answer 21

MITRE.org

Question 22

What is the common term for Command and Control

Answer 22

C&C or C2

Question 23

Name a defining characteristic of an ATP

Answer 23

Adversary removes evidence of the attack.

Question 24

What is OSINT

Answer 24

Open-Source Intelligence - using publicly available information such as web sites, blogs, chat forums, etc.

Question 25

What are the two broad types of categories for Threat Intelligence

Answer 25

Strategic - High level of view of the threat landscape- trends, tactics, and techniques that threat actors use.

Operational - more granular about specific threats such as malware analysis and network forensics

Question 26

What is an ISAC?

Answer 26

Information and Sharing Analytics Center - required by Government in 1990 to form private/public partnerships and industry associations to disseminate information sector-specific threat intelligence

Question 27

What alliance do cybersecurity vendors openly share threat information with?

Answer 27

Cyber Threat Alliance (CTA)

Question 28

What is CISA

Answer 28

US Cybersecurity and Infrastructure Security Agency

Question 29

What are IoC’s and IoAs and describe

Answer 29

Indicators of a compromise
Indicators of an attack

Based on confidence levels provided by threat information

Question 30

What is the attack data that describes TTP’s of current, active cyberattacks?

Answer 30

Crowdsourced attacks

Question 31

What techniques plays a crucial role in identifying and analyzing IOC’s

Answer 31

Digital Forensics

Question 32

What is the term of using offensive actions to outmaneuver an adversary to make an attack harder to execute?

Answer 32

Active Defense

Honeypots
Honeynets
Active Decoys

Question 33

What are the key differences between Serverless platforms

Answer 33

hardware abstraction. Based on time not hours

Question 34

What are the 3 “planes” of Software Defined Networking

Answer 34

Control Plane - traffic prioritization and where it should be switched

Data Plane - handles the actual switching and routing including any ACL’s

Management Plane - monitoring of traffic conditions and network status

Question 35

What is a networking and security architecture that provides secure access to cloud applications and services while reducing complexity

Answer 35

SASE
Secure Access Service Edge

SASE plays a key role in Zero Trust Architecture

Question 36

The act or cooperation between multiple systems or companies to enable access via trusted accounts is called ___________

Answer 36

a Federation

Question 37

What is the standard method companies use to authenticate between systems such as Google and Amazon and what protocol is involved?

Answer 37

OpenID and Oauth 2.0

Question 38

What is the XML-Based language used to Exchange authentication information between a client and service provider

Answer 38

Security Assertion Markup Language (SAML)

Question 39

What is the XML-Based web services protocol that is used to exchange messages between

Answer 39

Simple Object Access Protocol (SOAP)

Question 40

In relationship to Transitive Trust if resource A trusts resource B and Resource B trust Resource C then T or F Resource A trust Resource C

Answer 40

True
trust models avoid single point of failure

Question 41

What is the Enterprise Management software designed to mediate access to cloud services by users across all types of devices?

Answer 41

Cloud Access Security Broker (CASB)

Question 42

What are the 3 CASB implementations

Answer 42

Forward Proxy - Appliance at client network edge. Can be bypassed and perf concerns

Reverse Proxy - At cloud network edge and does require cloud application support of this proxy

API - built into the Cloud app itself

Question 43

What is SOAR and what function does it serve

Answer 43

Security, Orchestration, Automation and Response

a class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment

Question 44

What is a SIEM and how does SOAR work with this type of system

Answer 44

Security Incident and Event Management

SOARS can bolt onto a SIEM and trigger after an alert is generated

Question 45

Describe relationship between Regulations and Standards

Answer 45

regulations describe legal requirements and ramifications; the details of compliance are oftentimes provided in prescriptive form within a standard.

Question 46

OWASP is _________

Answer 46

Open Web Application Security Project - Internationa non-profit providing unbiased about app security

Publishes top 10
Publishes ModSecurity Tool

Question 47

What is Static Analysis in regard to Vulnerability Scanning?

Answer 47

Manual inspection of source code to identify vulnerabilities and weaknesses.

Question 48

True of False - Fingerprinting in Vulnerability Analysis is the same as Mapping

Answer 48

False - fingerprinting is at the device level while Mapping is looking at the network as a whole

Question 49

What is Dynamic Analysis in Vulnerability

Answer 49

A more rigorous approach typically using vulnerability scanning software and even Pen Testing

Question 50

What is Fuzzing?

Answer 50

Formerly Black Box Testing using specialty software tools to identify problems and issues with an application by purposely inputting or injecting malformed data to it.

Question 51

What is Operations Technology (OT)

Answer 51

Systems that operate separate from Corp IT and typically are comprised of PLC’s and SCADA Networks.

Question 52

What type of system provides mechanisms for workflow and process automation in Industries

Answer 52

Industrial Control Systems (ICSs)

plant devices and equipment with embedded PLC’s

Question 53

What is SCADA

Answer 53

A supervisory control and data acquisition (SCADA) . A system that takes the place of a control server in a multi-site ICS.

Question 54

What type of control language does PLC’s utilize

Answer 54

Special Sequential Control Language called Ladder Logic

Question 55

What is the command to change File and Folder Permissions in Linux

Answer 55

CHMOD

Owner, Group, Other
4 = Read
2 = Write
1 = Excecute

CHMOD

Question 56

What is the most common scan type for NMAP

Answer 56

SYN Scan

Question 57

T or F UDP scans in NMAP is the most unreliable

Answer 57

True

Question 58

What is the numerical score assigned to a computer vulnerability called?

Answer 58

CVSS

Question 59

Who developed the Cyber Kill Chain

Answer 59

Lockheed Martin

Question 60

A NIST Framework that outlines various accepted practices for automating vulnerability scanning.

Answer 60

Security Content Automated Protocol (SCAP)

Question 61

An XML Schema, maintained by Mitre, for describing system security state and querying vulnerability reports and information

Answer 61

Open Vulnerability and Assessment Language (OVAL)

Part of SCAP

Question 62

Scheme for identifying hardware devices, operating systems, and applications developed by Mitre

Answer 62

Common Platform Enumeration (CPE)

Standardized naming format used to identify systems and software

Question 63

Scheme for identifying vulnerabilities developed my Mitre and adopted by NIST

Answer 63

Common Vulnerability and Exposure (CVE)

a list of records where each contains a unique identifier used to describe public known vulnerabilities

Question 64

Scheme for provisioning secure configuration checks across multiple sources developed by Mitre and adopted by NIST

Answer 64

Common Configuration Enumeration (CCE)

similar to CVE except focused on configuration issues which may result in an vulnerability.

Question 65

What are two key elements on how CVSS is scored

Answer 65

CVSS Score Calculation - formula based

CVSS Vector String - more context including identifiers, environmental and additional information

Question 66

T or F CVSS is a measure of exploitablity

Answer 66

False

does not indicate where or not a vulnerability can be exploited.

Question 67

When a Vulnerability Scan incorrectly indicates that a vulnerability or misconfiguration is present when it is not is called a

Answer 67

False Positive

Question 68

When a vulnerability scan incorrectly identifies that a vulnerability does not exist

Answer 68

False negative
Most concerning since it points to issues with scanning engine or database

Question 69

What are the 3 Categories of CVSS Scoring

Answer 69

Impact
Exploitability
Remediation

Question 70

What are the Metrics of the CVSS Scoring

Answer 70

Scope—The number of systems and people affected by the vulnerability.

Confidentiality—The extent to which data is disclosed.

Integrity—The extent to which the system’s functionality is changed or impaired.

Availability—The extent to which a system is unavailable.

Privacy—The extent to which the system’s privacy is impacted.

Operations—The extent to which the system’s security is affected.

Other—Any other relevant or important factors.

Question 71

What are the Payloads in a Wirehark Packet Capture that indicate which server OS

Answer 71

Windows - 32 bytes or string of letters in ASCII

Linux/Unix - 48 bytes or stings of letters and numbers in ASCII.

Question 72

This term describes how many organizations’ networks no longer have a clearly defined “inside” and “outside” boundary.

Answer 72

Depermeterization

Question 73

Data _______________ combines and analyzes data from disparate sources to gain a greater understanding of it

Answer 73

Enrichment

Question 74

Physical (P), Local (L), Adjacent Network (A), or Network (N) are all values for which base metric

Answer 74

Attack Surface

Question 75

When a vulnerability scan correctly identifies a vulnerability.

Answer 75

True Positive

For example, a true positive would be when a scan correctly identifies the presence of default credentials on network equipment.

Question 76

A vulnerability scan that correctly indicates that a system or device does not have a vulnerability.

Answer 76

True Negative

Question 77

What is the term for the type of control when systems do not support modern security features, or these features break business critical functions?

Answer 77

Compensating Controls

this control can provide protection when circumstances prevent the use of the primary security measure.

Question 78

A legal document that outlines the terms and conditions of an agreement between two or more parties.

Answer 78

Memorandum of Understanding (MoU)

It might outline uptime, data access, response times and other performance characteristics that conflict with tasks identified in response to mitigating vulnerabilities.

Question 79

Legally binding contract between two parties that defines the level of services to be provided?

Answer 79

Service Level Agreement

Question 80

What is the system of rules, practices and processes an organization uses to control its operation and the strategic direction it pursues

Answer 80

Organizational Governance

can conflict with security measures.

Question 81

Name the 3 CVSS Temporal Metrics Sub Components

Answer 81

Exploit Code
Maturation
Remediation Level
Report Confidence

Question 82

What are the Rating Levels of CVSS and their corresponding Score Ranges

Answer 82

Rating CVSS Score
Critical 9.0 - 10.0
High 7.0 - 8.9
Medium 4.0 - 6.9
Low 0.1 - 3.9
None 0.0

Question 83

What site holds the CVSS for a CVE Record

Answer 83

nvd.nist.gov

Question 84

Which option in NMAP disables Port Scanning

Answer 84

-sn

Uses a ping sweep which is not an ideal option since many systems will not reply. Port scans would necessary

Question 85

By Default scans how many ports

Answer 85

Top 1000

use -p option to select more ports such as -p 10000-16000

Question 86

What does the -sV option enable during a NMAP Scan

Answer 86

Known as the version scan but is also a banner grabbing, server identification, and enumeration.

Question 87

List the DoD STIGs vulnerability categories.

Answer 87

Category I—Any vulnerabilities that will immediately cause a breach of confidentiality, availability, or integrity. These exposures can grant unapproved access to confidential information, causing a disruption of service. These threats are the most dangerous and may result in death, damage to facilities, or a failure of a mission.

Category II—Any vulnerabilities resulting in loss of confidentiality, availability, or integrity and can lead to a Category I vulnerability, injury, damage to equipment, or degrade a mission.

Category III—Any vulnerabilities that degrade controls implemented to protect against the loss of confidentiality, availability, or integrity and can lead to a Category II vulnerability, delay recovering from an outage, or negatively affect the accuracy of data.

Question 88

_______ are the actions and guidelines for dealing with security events.

Answer 88

Incident Response Plans

Question 89

What are the NIST 800-61r2 stages of incident response life cycle

Answer 89

1. Preparation - hardening, policies and procedures
2. Detection and Analysis - triage
3. Containment - limit impact
4. Eradication and Recovery - multiple phases
5. Post-Incident Activity - Analyze and update procedures and policies

Question 90

Name some of the typical components of an IRP

Answer 90

Incident Response Policies - statements of the organizations expectations and procedures

Incident Response Procedures - Ransomware, Data Exfiltration, Social Engineering Playbook

Incident Tools and Resources - SIEM, IDS, Vuln Scanners, Netflow, Monitoring, FW and Gateways

Identification of Potential Threats and Incident. - Threat modeling, risk Analisys and other threat identification

Assessment of Potential Impacts - using risk analysis and impact assessment to measure the scope of identified incidents.

Creation of Response Plans - detailed, concise and direct

Question 91

What Technical Controls or Tools form the foundation of Incident Detection Capabilities

Answer 91

SIEM and IDS

Question 92

T or F Incident Response Playbooks should be digitally stored as a best practice

Answer 92

Fales - they should be actual playbooks and not accessible digitally to keep malicious intent from getting this

Question 93

Following an incident during Post Review what is the name of the report that should be compiled.

Answer 93

Lessons Learned Report (LLR) or After-Action Report (AAR)

The conclusion of the lessons learned is to continue to update the Incident Response Plan

Question 94

T or F identifying IoC’s is the first step in incident response

Answer 94

True
this is a reactive process and the earlier the detection the better

Question 95

Defacto method for sharing and matching threat intelligence against network traffice

Answer 95

Suricata Rules

passive and used within IDS

Question 96

Data Acquisition as it related to evidence prioritizes collection based on the following

Answer 96

Evidence capture prioritizes collection activities based on order of volatility.

CPU Registers and Cache Memory
Contents of System RAM
Data on HDD
Remove Logging
Physical config data
Archive Data

Question 97

Describe the requierments of the Legal Process

Answer 97

Evidence Preservation - labeled, tagged and bagged.

Ensure Chain of Custody is recorded for each piece of evidence

Apply Legal Holds when applicable. Preserving the data and ensuring no changes are made

e-Discovery to be applied of identifying, collecting and providing the information by a legal hold

Question 98

What are the two classification Frameworks for an Impact Analysis (Triage)

Answer 98

Impact Based

Taxonomy Based - defines incident categories by types such as worm outbreaks. Phishing attempts. DDoS… Includes Sub Categories such as attack vectors, threat type, etc.

Question 99

The process of assessing what costs are associated with an incident such as a data breach is ________

Answer 99

Impact Analysis

Question 100

Describe the key difference between recovery and remediation.

Answer 100

Remediation describes the corrective actions to address a problem permanently vs recovery that would fix the issue but not get to the root cause.

Question 101

Name the Forensic Tools and their functions

Answer 101

Fdisk - List Partitions

testdisk - detailed partitions and hidden

fiwalk - analyze drive image

Fsstat - more information on partitions - especially hidden partitions

fls to pull info from hidden partitions

istat - to pull inode information from hidden partitions

Question 102

Incident Response Report (IRR) should have ________ words also know as the 5?

Answer 102

Interrogative Words
Who, What, When, Where and Why

Must have a timeline to support the 5W’s

Question 103

What is the process called that gets to a foundational understanding of the event

Answer 103

Root Cause Analyss (RCA)

Question 104

What is the site that I can go to for Digitial Forensics Tools Testing

Answer 104

dftt_sourceforge.net

Question 105

What is the name of the command in Kali that hashes the file and adds that hash to the expected file

Answer 105

md5sum

Question 106

What is the name of the Kali utility forensic tools set

Answer 106

Autopsy Forensics Browser

Question 106

Name of Microsoft site and utiliteis to manage and diagnose troubleshoot a windows environment

Answer 106

SysInternals

Question 106

T or F a playbook is designed to automate some the routine tasks ordinarily performed by security personnel in response to a security incident

Answer 106

False

Question 106

What is the name of the command that extracts and displays viewable characters stored within a Binary

Answer 106

Strings Command

Question 106

Wireshark can filter the output using the same expression syntax as _________. Which is a command line packet capture utility for Linux

Answer 106

tcpdump for Linuz
windump for Windows

tcdump -i eth (where eth represents the inerfact to listen on

tcpdump -i eth0 -w capture.pcap

This tool is invaluable for scripting scenarios.

Note - PCAP file format has limitations and has been replaced with PCAPNG by default

Question 106

When a playbook utilizes a high degree of Automation from a SOAR systems then it can be referred to as a Runbook - T or F

Answer 106

True

Question 107

What is the free service designed to inspect files and URLs using over 70 antimalware scanners and domain blocklisting services

Answer 107

VirusTotal

Question 108

What are two common Cloud Based Sandbox

Answer 108

Joe Sandbox
CrowdStrike’s Hybrid Analysis

Question 109

2 of the big 3 threat frameworks are Mitre Attack and Lockheed Martin Kill chain. what is the 3rd one called

Answer 109

Diamond Model Framework

good for teaching and less technical than MITRE

used to develop automated threat intelligence analysis engines which are often integrated with various SIEM Platforms

Question 110

Developed by the Institute for Security and Open Methodologies (ISECOM) this manual outlines every area an organization needs testing with detailed is called __________

Answer 110

Open-Source Security Testing Methodology (OSSTMM)

Operational, physical and Wireless security testing

Question 111

Describe in technical terms the anatomy of SMTP

Answer 111

Mail User Agent (MUA) creates an initial header during email creation. Sent to Message Delivery Agent (MDA) which validates and if not locally sent appends its own header and then transmits message to Message Transfer Agent (MTA). MTA via DNS routes to the recipients MTA. Each MTA it passes through it gets another header.

Question 112

Which email security framework uses DNS Text records that identifies the hosts authorized to send email for that domain?

Answer 112

Sender Policy Framework (SPF)

Question 113

What email security provides a cryptographic authentication method for DNS records and supplements the other framework?

Answer 113

DomainKeys Identified Mail (DKIM)

Uses a public key uploaded as a text record in DNS Server. when outgoing email is processed the domain MTA calculates a hash value on selected message and signs it using its private key. Hash value is added to the message as a DKIM Signature .

Question 114

How does DMARC (Domain-Based Messaging Authentication, Reporting and Conformance apply to email security

Answer 114

DMARC Framework ensures that SPF and DKIM are being utilized effectively.

DMARC policy is published as a DNS Record and specifies an alignment method using one or both SPF and DKIM.

Question 115

What is another name for Doppelganger Domains

Answer 115

Cousin Domains

Question 116

What is the type of system utility that makes the victim system connect back to the attackers’ machines to establish shell access

Answer 116

Reverse Shells

netcat Listener
Bash Shells
Python

These would not be considered normal activity and should be heavily scrutinized.

Question 117

This security product offering scans indicators from multiple intrusion detection and log sources to identify anomalies and are often integrated in SIEM Platforms

Answer 117

User and Entity Behavior Analytics (UEBA).

Tracks user account behavior across different devices and cloud services.

Question 118

A ________ _________ attack allows a small DNS request with a spoofed source IP to generate a very large response.

Answer 118

DNS Reflection

reflection or amplification attack uses spoofing

Question 119

What type of devices does Worm Activity typically saturate

Answer 119

Switches and Routers

Question 120

What is the command that Network Time Protocol can be used to abuse that generates vast amounts of traffic

Answer 120

MonList

Question 121

T or F Beaconing is always associated with an intrusion?

Answer 121

False.
Beaconing is a legitimate process where nodes such as AP’s advertise their presence. But it can also be associated with Remote Access Trojans communicating with C&C.

Question 122

What is the name of the technique used by C&C to avoid being pinned down

Answer 122

Domain Name Generation Algorithm (DGA)

and
Fast Flux DNS

Question 123

What are the common Channels that C&C communicate over

Answer 123

Internet Relay Chat (IRC)
HTTP/HTTPS
DNS - common since it does not require internet and DNS Server can forward requests.

Social Media Website
Media and Doc files - using their metadata which is no inspected typically.

Question 124

What tool from Sysinternals is the reliable method that hackers will use to move laterally through your network

Answer 124

PsExec

Uses a simple pattern
1. Establish a SMB connection to target system
2. Pushes a copy of a receiver process PSEXESVC.exe to target systems ADMIN$ share
3. Launces PSEXESVC.exe which sends an output to a named pipeline

Question 125

What is the name of the attack when an attacker redirects an IP Address to a MAC Address not associated with its proper destination

Answer 125

ARP Spoofing or ARP Poisoning

Question 126

Malware can use any port to communicate but what is the term when it initiates over a standard port then communicates over a different port

Answer 126

Mismatched Port/Application Traffic

Question 127

Describe Shell and Reverse Shell

Answer 127

Shell - opening up a command windows on a remote host

Reverse Shell - opens a listening port on remote host and cause the infected host to connect to it

Question 128

Which open source tool native to Linux that is used by hackers to perform a Reverse Shell

Answer 128

Netcat

produced by Nmap

Question 129

What are the Linux commands that output a summary of memory and processes

Answer 129

Free and Top

htop utility is similar with mouse support and more easily readable output

Question 130

what is the Linux command that can aid in analyzing the file sysem

Answer 130

lsof - retrieves a list of all files currently open.

df and du

Question 131

What are the Windows Scheduled Task Event ID for Creation and Modification and Event ID for enabling or disabling scheduled tasks

Answer 131

4698 - New or modified

4700- enabled or disabled

Question 132

What are the core Process in Windows

Answer 132

Windows Kernel (systems.exe)

Session Manager Subsystem (smss.exe)

Client Server Runtime Subsystem (csrss.exe)

Windows Initialization Process (wininit.exe)

Service Control Manager
(services.exe)

Local Security Authority Subsystem Services (Isass.exe)

Question 133

What is the practice of exploiting flaws in an OS or other App to gain a greater level of access than was intended for the user of the application

Answer 133

Privilege Escalation

Question 134

What are the common types of NMAP Scanning and their flags

Answer 134

TCP SYN (-sS)
TCP Connect (-sT)
TCP Flags (-sN, -sF, -sX)
UPD Scan (-sU)
Port Range (-p)

Question 135

NMAP can also be used for Fingerprinting on hosts?

Answer 135

True

Using -sV or -A NMAP can get
Protocol
App Name and Version
OS Type and Version
Host Name
Device Type

Question 136

Which free tool can be used for quickly scanning a network to identify connected devices and services

Answer 136

Angry IP Scanner

Question 137

What is the name of the sophisticated visualization tool that helps investigators quickly identify relationships among entity types

Answer 137

Maltego

Question 138

_________ is a very powerful collection of tools designed to exploit vulnerabilities in a wide range of systems and software

Answer 138

Metasploit Framework

Question 139

_________ has a syntax and use that parallels Metasploit but focused on performing web based reconnaissance.

Answer 139

Recon-ng

best for reconnaissance in the information gathering phase of exploitation.

Question 140

What is the open-source security platform built on OSSEC providing a range of features for monitoring threat detection and compliance management

Answer 140

Wazuh

Can be integrated with Elastic Stack and is highly scaleable

Question 141

Name of the password guessing/stuffing attack in Linux

Answer 141

Hydra

Question 142

Wazuh Level scales are

Answer 142

Info - 0-3
Low - 4-7
Medium - 8-11
High - 12-15
Emergency 16

Question 143

What is the type of attack that requires a theft of a token from a valid client which is then used from a different system to fool the authentication services

Answer 143

Pass the Hash

Question 144

What is the primary reason to avoid the use of MD5

Answer 144

Propensity for collisions

Question 145

What European Org was setup in 90’s for Computer Antivirus Research

Answer 145

EICAR
European Institute for Computer Antivirus Research

Question 146

What is the project of NIST for software library called

Answer 146

National Software Reference Library.

Question 147

What is the very popular tool for analyzing and exploiting web applications and what category is it.

Answer 147

Burp Suite
Intercepting Proxy

Question 148

Zed Attack Proxy (ZAP) is another similar tool to Burp Suite and what organization produced it.

Answer 148

OWASP

Open World Application Security Project

Question 149

Name a popular web app scanner that uses the command line.

Answer 149

Nikto

Question 150

Name some of the common Debuggers and Reverse Engineering Tools

Answer 150

Immunity Debugger - Open source and very popular

GNU Debugger - open source and focuses on programs wrriten in C, C++ and Fortran

Question 151

Name the poplular tools for App and Cloud Penetration Testing

Answer 151

ScoutSuite - open source and works with all 3 of the major public clouds

Prowler - same but only AWS

PACU - AWS only and would require permission for CSP’s acceptable use policy

Question 152

______ is a CLI web vulnerability scanner that can detect over 6700 potentially dangerous files and CGI Scripts

Answer 152

Nikto

Question 153

________ is a CLI Web vulnerability scanner that focuses on problematic web scripts

Answer 153

Wapiti

Question 154

Who owns SSL Labs and what does this service prform

Answer 154

Qualys
website/web and web browsing testing service

Question 155

What is a name of a excellent online web vulnerability scanner

Answer 155

PentTest Tools

Question 156

What tool can automatically perform reconnaissance and scanning of website using NMPA, Shodan, Whatweb, Nikto, Vulners, Hydra and more

Answer 156

Legion

Question 157

what service scans sites and provides in HTML format findings into different service categories such as Good, Warning, Danger

Answer 157

ScoutSuite

Question 158

Command Line Cloud Security Auditing Tool that generates a report summarizing the security posture of a company’s cloud architecture.

Answer 158

Prowler

Question 159

What is a common password cracking tool that performs dictionary attacks?

Answer 159

John the Ripper (JrT or John)

Question 160

T or F a Dictionary attack and Brute Force is a form of offline password cracking.

Answer 160

True

Uses stolen password hashes and does not interact with a live authentication system

Question 161

Name of the command line utility for cracking Wireless Networks

Answer 161

Aircrack

Question 162

What is the widely used tool for LInux Apps for debugging, inspecting runtime status, and modifying the programs execution flow.

Answer 162

GNU Debugger

Question 163

What is the open source, feature rich modular web application security testing framework

Answer 163

Arachni

Question 164

Windows Powershell uses what type of extension and what type of command syntax

Answer 164

.PS1

easily reconnizable by using cmdlets that use a Verb-Noun such as a Invoke-Command

Get-Content
Add-Content

Question 165

What is the command language that is part of Windows WMI and what is it used for

Answer 165

Windows Management Instrumentation Command-Line

Performing administrative tasks and well suited to scripting and automation

Question 166

What is the interpreted , high level, general purpose programming language used for a wide variety of purposes and what is its extension

Answer 166

read pointer position

Python

.py

print(‘The current pointer position is {0}.format(mouse.position))

Question 167

What is the object orientated, event driven programming language that enables website interaction.

Answer 167

JavaScript Object Notation (JSON)

as opposed to HMTL which simply display’s information.

Similar to XML

uses curly bracket syntax and allows for the use of arrays (lists)

{ “product info” :
{
“product name” : “adjustable race”, “product number” : “AR-5381”,

{

Question 168

What is the primary difference between HML and XML

Answer 168

HMTL displays data and XML transfer it

note the syntax

<Prodcuts> and /
</Prodcuts>

Question 169

What is the name of the web security flaw that enables an attacker to read various files on the web server when an application is running.

Answer 169

Directory or File Path Traversal

Question 170

What is the attack that takes advantage of a website’s weakness in allowing submitted code and commands to execute

Answer 170

Cross-site Scripting (XSS)

It also uses hex coding to obfuscate characters:
Common ones are:
%20 space
%2F /
%3c <

Question 171

Predecessor to Bourne Shell

Answer 171

BASH (Bourne-again shell)

an improved version of sh and very common.

Supports full programatic structure and looks like

Tux@ubuntu:~$ cat boolean_loop.sh
#/bin/bash
mynum=100

While :
Do
Echo “enter a number or CTRL-C to quit”
Read num1
If [ $num1 -gt $mynum]; then
echo “your number is smaller”
echo
Else
echo “We picked the same number!”
Echo
fi
done

Question 172

To redirect output data to other locations such as a file or program what are is the redirection characters

Answer 172

> for basic redirection
> for appending to existing

Question 173

What is the method of system development that incorporates security controls in every phase of the systems lifecycle

Answer 173

Secure Software Development Life Cycle (SSDLC)

Question 174

What is a comprehensive guide for testing the security of web applications

Answer 174

OWASP Testing Guide

provides a structured approach to web app security testing

1. Info Gathering
   2, Config and Deployment management testing
   3, Identity management testing
2. Input validate……

Question 175

This password attack describes when an attacker chooses predetermined passwords and tries them for multiple accounts

Answer 175

Password Spraying

a brute force attack which multiple user account are tested with a dictionary of common passwords

Question 176

This password attack describes the use of credentials stolen from one source and trying them agains multiple sources

Answer 176

Credential Stuffing

a brute force attack in which stolen user account names and passwords are tested against multiple websites

Question 177

A software vulnerability where the authentication mechanism allows an attacker to gain entry

Answer 177

Broken Authentication

eg. cleartext credentials, weak session tokens, or permit brute force login requests

Question 178

__________ is a software vulnerability where a program attempts to write more data to a temporary storage area in memory than it can hold. causing data to overflow into adjacent memory. What is a widely used vulnerability discovered called

Answer 178

Buffer Overflow

Heartbleed - OpenSSL Implementations of TLS. In vulnerable versions of OpenSSL an attacker can send a malformed heartbeat request that causes the server to leak up to 64 KB of memory data.

Question 179

What is the area of memory allocated by the application during execution to store a variable called _______. _______ _______ can overwrite those variables and possibly allow arbitrary code excecution

Answer 179

Heap

Heap Overflow -

Question 180

_______ type of software vulnerability that occurs when a program tries to store an integer value larger than the maximum value that the data type can hold. this causes the value to wrap around to a lower value or overflow into adjacent memory space.

Answer 180

Integer Overflow - can cause a buffer overflow

Fun Fact: Famous Integer Overflow occurred during NASA’s Mars Climate Orbiter in 1999 - force of thrusters exceeded max value and it went negative resulting incorrect trajectory.

Question 181

What is the name of the region of memory that hold temporary data created by a program during runtime. What is the vulnerability when a program tries to store more data in the _____

Answer 181

Stack
Stack Overflow

some programming language such as C and C++ contain built in function such as strcpy

Question 182

What is the technique that randomize where components in a running application are placed in memory to protect against buffer overflows

Answer 182

Address Space Layout Randomization (ASLR)

Question 183

Which exploit is more difficult versus Local File Inclusion or Remote File Inclusion

Answer 183

Remote File Inclusion is easier to perform but less likely to be exploitable.

Question 184

T or F HTTP is a stateless Protocol

Answer 184

True
It uses Cookies to preserve info on users

Nonpersistent Cookies or session cookies which are stored in memory and deleted when browsers are closed.

Persistent Cookies are stored in browser cache until deleted by user or expire on its own.

Local cookies if not encrypted can hold confidential information.

Question 185

What are the ways you can protect against Session Hijacking that exploit Cookies

Answer 185

Deliver a new cookie upon each connection.
Session tokens must use a non-predictable algorithm

Question 186

What is the attack that uses a malicious script on the Attackers site that can exploit a session started on another site in the same browser called

Answer 186

Cross-Site Request Forgery (XSRF)/(CSRF)

Prevention is difficult since requests tend to look similar to those made by a user of a web application performing normal actions.

Use of user-specific tokens in all form submissions to prevent this

Question 187

An attack that injects a database query into the input data directed at a server by accessing the client side of the application.

Answer 187

SQL Injection

most common method is to submit a single apostrophe and then look for errors.

common to use a true statement to illicit a response. This allows hacker to start to inject queries for malicious intent

Question 188

Which vulnerability can pose signficant risks to chat bots and language Model

Answer 188

Prompt Injection
exampe of MS Tay Chatbot and racial input caused a stir

Question 189

The vulnerability where a hacker using SQL Injection to reference an actual name of a system Object

Answer 189

Insecure Object Reference

Question 190

An application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory

Answer 190

Directory Traversal

Question 191

A malicious script hosted on the attacker’s site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site, circumventing the browser’s security model of trusted zones.

Answer 191

Cross-Site Scripting (XSS)

Reflected and Persistent

Question 192

A web application vulnerability that allows an attacker either to download a file from an arbitrary location on the host file system or to upload an executable or script file to open a backdoor.

Answer 192

File Inclusion

Question 193

Broken Access Controls is defined as when ______

Answer 193

User Controls are not seutp correctly and have access they should not

Question 194

An attack where an attacker takes advantage of the trust established between the server and the resources it can access, including itself.

Answer 194

Server-Side Request Forgery (SSRF)

reference Capital One Attack via AWS improper configured firewall

Question 195

_____ _____is an attack that involves deliberately manipulating or corrupting data used in machine learning (ML) models or artificial intelligence (AI) systems

Answer 195

Data Poisoning

Question 196

Discovering errors messages when attempting SQL Injection is known as ________

Answer 196

error-based SQLi

Note - most sql injection statements start with a single quote

Question 197

A method used by malware to evade block lists by dynamically generating domain names for C2 networks

Answer 197

Domain Generation Algorithm (DGA)

Fast Flux Network - continually changing the host IP address in domain records using DGA

if you get a high rate of NXDOMAIN errors while resolving the DNS it could be an indicator of a DGA

Question 198

Which MAC, Linux or Unix command is the same as Windows NSLooksup

Answer 198

Dig

Used for DNS Harvesting

Question 199

What is the condition that occurs when a firewall is under-resources and cannot log data fast enough and there some data is missed

Answer 199

Blinding Attack

Question 200

What is one method of stopping DDoS using routers

Answer 200

Blackholing which sends traffic to null interface

or
SinkHole - instead of dropping it sends to separate network for analysis

uses less resources than ACL.

CloudFlare and Akamaia

Question 201

Name the two types of Proxies

Answer 201

Non-Transparent -

Transparent - forced and not known to client

Reverse - protects server from client. Great source of logs

Question 202

Open Sources IDS _______

Answer 202

Zeek Monitoring Tool

Question 203

What tool for Security Analyst for Defenders

Answer 203

Security Onion

Question 204

What is the name of Malware that is designed to install or run other types of maloware embedded in a payload on an infected hosts

Answer 204

Dropper is at Stage 1

Downloader is stage 2

Question 205

Any lightweight code designed to run an exploit on an target

Answer 205

Shell Code

Question 206

What is the Windows Services that Hosts nonboot drivers and should only have one instance but is commonly used for Malware infections

Answer 206

Services.exe

child of Winnit.exe

Question 207

What is the multi-platform program that runs on Windows, Linux and Mac OS X for identifying, classifying and describing malware samples

Answer 207

Yara