Part 6

Question 1

What is the service that allows hardware and software access and information transfer between different security domains or levels of classification either manually or automatically?

Answer 1

Cross Domain Services / Multi-Layer System

CDS/MLS

Question 2

What eliminates the need for multiple workstations to access different enclaves?

Answer 2

Secure Office Trusted Thin Client (SOTTC)

Question 3

What is used to restrict the data flow from applications and users to the management resources in each enclave?

Answer 3

Virtual Routing and Forwarding (VRF)

Question 4

On CANES, encryption methods for laptops with SECNET 54 devices attached utilizing SECRET wireless need what compartment?

Answer 4

HAIPE-compliant devices

Question 5

How many wireless access points do platforms hosting CANES with CISCO Aironet 1242 AG have?

Answer 5

30

Question 6

What are the 4 accounts of HBSS?

Answer 6

Sqlsrvusr: used for local log on for the SQL service
Sqlsrvagt: used for local log on for the SQL Server Agent service
Eposql: this account is built into SQL Server Management, and is the account that ePO uses to “talk” to the MSSQL database
Proxy.epo: this AD account is used for Master Repository replication and other off-ship communications

Question 7

Which account does ePO use to talk to SQL?

Answer 7

Eposql

Question 8

Which account does HBSS use for off ship communication?

Answer 8

Proxy.epo

Question 9

In the CANES implementation, rogue sensors must be installed on which following servers?

Answer 9

BU01, BU02, MTS, VC01, WEB

Question 10

Which server should NOT have a rogue sensor as it is a DHCP server and has conflicts with the Threat Management Gateway (TMG)?

Answer 10

IAEXET

Question 11

What is the name of the agent that handles audit records?

Answer 11

NetIQ

Question 12

Which appliance controls access to the CANES network?

Answer 12

Identity Service Engine (ISE)

Question 13

What applies local security at the end of its software installation and provides an automated way to apply the local security portion by itself?

Answer 13

Security Configuration Module (SCM)

Question 14

What term signifies that the system is secured to the highest degree possible, while still allowing for the operational environment in which the systems must function?

Answer 14

Hardening

Question 15

Where is Symantec Endpoint Security Manager installed?

Answer 15

Ex01

Question 16

Symantic Mail Security for Microsoft Exchange (SMSME) scans email messages that pass through the exchange server and protects the exchange server from what?

Answer 16

Threats (virus, worms, Trojan horses, DOS
Security risks (adware, spyware)
Unwanted content
Unsolicited email (spam)

Question 17

What kind of server is the Threat Management Gateway (TMG)?

Answer 17

Member server not a domain server

Question 18

What can you set to limit internal users access to the internet?

Answer 18

River City

Question 19

What is a predefined access rule that protects networks by blocking all traffic that is not explicitly allowed by other, user defined l, access rules and is always processed last?

Answer 19

Default Deny Rule

Question 20

What products is installed and configured manually and if the product has a broad scope or is a client application, then Microsoft SCCM is used to deploy the product and the configuration is automated?

Answer 20

Operating Environment applications

Question 21

CANES architecture has how many SADRs?

Answer 21

2

Question 22

What has state-of-the-art antivirus software, was built to secure virtual infrastructure, anti-spyware, firewall and intrusion prevention?

Answer 22

Symantic Endpoint Manager (SEM)

Question 23

If you have an inspection and some portion of a POR system failed or needs correction what do you do?

Answer 23

Contact the POR for changes to the configuration

Question 24

What is a trading security concern for routers and switches?

Answer 24

An attacker could console in and reconfigure the router or switch or control the routing and switching.

Question 25

What are concerns in traditional security?

Answer 25

Access control
Storage media 
Password storage
Physical security
Emergency procedures 
Personal electronic devices 
Wireless devices 
Classified material handling

Question 26

Which CE verifies CND?

Answer 26

CE-06

Question 27

Which CE demonstrates cyber ops casualty and incident response procedures?

Answer 27

CE-11

Question 28

How many stages are there in a CCRI?

Answer 28

3

Question 29

What are the stages of a CCRI?

Answer 29

Admin review
TAV
Inspection CSI

Question 30

What is a stage 2 ccri looking at?

Answer 30

5 IA facets as well as the stage 1 findings

Question 31

How long is the stage 3?

Answer 31

5 days

Question 32

What does the McAfee Whitelisting of Rogues check portion of the inspection look at?

Answer 32

List of exceptions

Question 33

What are the two HIP categories?

Answer 33

HIP firewall policy is enabled

Firewall Connection Aware Group / Location Aware Group (FCAG/LAG) prevents cross Domain violations

Question 34

What systems need a waiver?

Answer 34

Systems that are not or cannot be configured to have HBSS installed.

Question 35

What were two significant attacks to DOD networks?

Answer 35

Operation Rolling Tide, Task Force Cyber Awakening

Question 36

What are actions that are conducted to address System or network security incidents, restore systems to their operation states, and correct any technical or administrative flaws to prevent future attacks?

Answer 36

Computer Incident Response

Question 37

What is the terminology for when operations or actions that disrupt, deny, degrade or destroy information within a computer network, or the system or network itself?

Answer 37

Computer network attack

Question 38

What is an unauthorized access to an information system?

Answer 38

Intrusion

Question 39

What occurs when information from a higher classification/restriction is placed on machines or networks of lower classification/restriction either intentionally or inadvertently?

Answer 39

Electronic spillage

Question 40

What Delivery Vector category is when a user with authorized access took specific actions that resulted in jeopardizing ISs or data?

Answer 40

Category 2 - Authorized user

Question 41

What Delivery Vector category is when a compromise resulted from the inadequate or improper configuration of an IS?

Answer 41

Category 4 - configuration management

Question 42

What category of Delivery Vector is when a compromise resulting from the implicit or explicit trust relationship between security domains?

Answer 42

Category 6 - ACAS Transitive Trust

Question 43

What event incident category is unauthorized privileged access (administrative or root access to a DOD system?

Answer 43

Category 1 - Root level intrusion (incident)

Question 44

What event incident category is when unauthorized non privilage access (user level permissions) to a DOD system. Automated tools, targeted exploits, or self-propagating malicious logic may also attain these privileges?

Answer 44

Category 2 - User Level Intrusion (Incident)

Question 45

What event incident category is when there has been an attempt to gain unauthorized access to the system, which is defeated by normal defensive mechanisms. Attempt fails to gain access to the system(e.g. attack attempted valid or potentially valid username and password combinations) and the activity cannot be characterized as exploratory scanning. Can include reporting of quarantined malicious code.

Answer 45

Category 3 - unsuccessful activity attempted (event)

Question 46

What event incident category is an activity that impairs, impedes, or halts normal functionality of a system or network?

Answer 46

Category 4 - Denial of Service (Incident)

Question 47

What event incident category is used for activity that due to DOD actions (either configuration or usage) makes DOD systems potentially vulnerable (e.g., missing security patches, connections across security domains, installation of vulnerable applications, etc.) In all cases, this category is not used if an actual compromise has occurred. Information that fits this category is the result of non-compliant or improper configuration changes or handling by unauthorized users.

Answer 47

Category 5 - Non-Compliance Activity (Event)

Question 48

What event incident category is for events that are initially suspected as being malicious but after investigation are determined not to fit the criteria for any of the other categories (e.g., system malfunction or false positives)?

Answer 48

Category 9 - explained anomaly (Event)

Question 49

How do you determine if there has been an incident or event?

Answer 49

Signs of an occurrence are identified by comparing abnormal activity to established baselines and thresholds of known good system performance and operation.

Question 50

What port is FTP?

Answer 50

21

Question 51

What port is SSH?

Answer 51

22

Question 52

What port is Telnet?

Answer 52

23

Question 53

What port is DNS?

Answer 53

53

Question 54

What port is RPC?

Answer 54

135

Question 55

What are the procedures to identify, isolate, mitigate, resolve, recover, and repair systems in response to a cyber event?

Answer 55

Incident response

Question 56

What phase of incident response involves the establishment and training an incident response team, as well as acquiring acquiring necessary tools/resources to perform the response?

Answer 56

Preparation

Question 57

What incident response phase assists the management of an incident and prevention of further attacks?

Answer 57

Detection and analysis

Question 58

What phase of incident response assists the management of the incident and prevention of future attacks?

Answer 58

Containment

Question 59

What incident categories must be sanitized and rebuilt from trusted media?

Answer 59

1, 2, 7

Question 60

Which incidents potentially necessitate a gateway block?

Answer 60

1, 2, 3, 4, 6, 7

Question 61

What two block lists are provided by NCDOC?

Answer 61

Ip block list

DNS Black hole

Question 62

What are are three tiers of CND?

Answer 62

Global
Regional (NCDOC which is the CSSP)
Local

Question 63

Who is the principal advisor to the CO?

Answer 63

CSM

Question 64

Who shall ensure that the ES is contained and cleaned from affected systems in accordance with guidance provided by the CO, CSM, and the OCA?

Answer 64

ISSM

Question 65

What form do you fill out for spillage?

Answer 65

Electronic Spillage Action Form

Question 66

Who tracks ESAF?

Answer 66

Navy Net War Com

Submit to the ESC

Question 67

What two programs does NCDOC use for collection and preservation of volatile data?

Answer 67

Dumpit

Helix Pro

Question 68

What is important to remember concerning volatile data?

Answer 68

Do not turn it off

Question 69

What system state command is used for user accounts?

Answer 69

Net user

Question 70

What system state command is for ARP table

Answer 70

ARP -a

Question 71

What system state command is used for network interfaces?

Answer 71

Ipconfig /all

Question 72

What system state command is used for network connections?

Answer 72

Netstat -abn

Question 73

What system state command shows running tasks?

Answer 73

Task list

Question 74

Where can you find files belonging or related to applications such as executables, configuration files, log scripts, scripts, graphics and icons?

Answer 74

Application files

Question 75

Where can you find files used to extend the amount of memory available by allowing programs to swap pages of data in and out of RAM?

Answer 75

Swap files

Question 76

Where can you find files created to preserve the state of a system such as the memory contents and open files that are used to restore a system when it has been turned back on?

Answer 76

Hibernation files

Question 77

Where can you find files that have been deleted

Answer 77

Deleted files

Question 78

What should you do when you have collected data?

Answer 78

Make a copy
Master copy
Working copy

Question 79

What two tools of HBSS have the ability to monitor files?

Answer 79

ABM & FIM

Question 80

What is the process of identifying, analyzing, and characterizing information gathered from affected systems?

Answer 80

Malware analysis

Question 81

Where should you perform malware analysis?

Answer 81

Isolated environment

Question 82

What are two places you can perform malware analysis?

Answer 82

Isolated dedicated computer or a virtual machine

Question 83

What are abnormal combinations of seemingly uninteresting events that could be one of the first precursors to an attack?

Answer 83

Unrecognized connection to the web server
Unrecognized configuration change
Unrecognized user creation or privilage elevation

Question 84

When will you determine the training needs to prevent future attacks?

Answer 84

Post incident analysis

Question 85

What is the process of collecting messages from different systems and finding all messages that belong to one single event?

Answer 85

Correlation analysis

Question 86

What is the most important feature for correlation analysis?

Answer 86

Time stamps

Clock settings

Question 87

What are two sources for information on attacks?

Answer 87

CVE, USCYBERCOM

Question 88

Who provides logs to NCDOC?

Answer 88

Shipboard personnel