pp Flashcards
Analyze the following scenarios and determine which attacker used piggy backing.
On the way to a meeting in a restricted area of a government facility, a contractor holds open a gate for a person in a military uniform, who approaches the entry point at a jog, flashing a badge just outside of the readable range.
A government employee is late for a meeting in a restricted area of a military installation. Preoccupied with making the meeting on time, the employee does not notice when the gate has not closed and someone enters the restricted area.
An employee leaves the workstation to use the restroom. A coworker notices that the employee has forgotten to lock the workstation, and takes advantage of the user’s permissions.
Several prospective interns are touring the operations floor of a large tech firm. One of them seems to be paying especially close attention to the employees.
A
Piggy backing is similar to tailgating, but the attacker enters a secure area with an employee’s permission. Flashing an unreadable badge implies a request, soliciting to hold the door. The attacker takes advantage of urgency.
Tailgating is a means of entering a secure area without authorization by following close behind a person who is allowed to open the door or checkpoint.
Lunchtime attacks take advantage of an unsecured, unattended workstation to gain access to the system.
An attacker can use shoulder surfing to learn a password or PIN (or other secure information) by watching the user type it. Despite the name, the attacker may not have to be close to the target.
Analyze and select the statements that accurately describe both worms and Trojans. (Select all that apply.)
A worm is concealed within an application package while a Trojan is self-contained.
Both worms and Trojans can provide a backdoor.
Both worms and Trojans are designed to replicate.
A worm is self-contained while a Trojan is concealed within an application package.
BD
Both worms and Trojans can provide a backdoor into a system. Worms can carry a payload that may perform a malicious action such as installing a backdoor. Many Trojans function as backdoor applications.
Worms are self-contained and are memory-resident viruses that replicate over network resources. A Trojan is concealed within an application package.
Worms do not need to attach themselves to another executable file as they are self-contained. Trojans are not self-contained and are delivered with an application.
Worms are designed to replicate, but Trojans are not. Typically, a worm is designed to rapidly consume network bandwidth as it replicates. This action may be able to crash a system.
An end-user has enabled cookies for several e-commerce websites and has started receiving targeted ads. The ads do not trouble the user until, when trying to access an e-commerce site, the user gets several pop-up ads that automatically redirect the user to suspicious sites the user did not intend to visit. What is the most likely explanation for this phenomenon?
Tracking cookies have infected the user’s computer.
Ransomware has infected the user’s computer.
Spyware has infected the user’s computer.
Crypto-malware has infected the user’s computer.
A
Spyware can perform adware-like tracking and monitor local activity. Another spyware technique is to perform domain name service (DNS) redirection to pharming sites.
Cookies are not malware, but if browser settings allow third-party cookies, they can record pages visited, search queries, browser metadata, and IP addresses.
Ransomware is a type of Trojan malware that tries to extort money from the victim. It will display threatening messages, stating the computer will remain locked until the victim pays the ransom.
Crypto-malware is a class of ransomware that attempts to encrypt data files. The user will be unable to access the files without obtaining the private encryption key, which is held by the attacker.
A hacker gains access to a database of usernames for a target company and then begins combining common, weak passwords with each username to attempt authentication. The hacker conducts what type of attack?
Password spraying
Brute force attack
Dictionary attack
Rainbow table attack
A
Password spraying is a horizontal brute-force online attack. An attacker chooses common passwords and tries them with multiple usernames.
A brute-force attack attempts every possible combination in the output space to match a captured hash and guess at the plaintext that generated it.
An attacker uses a dictionary attack where there is a good chance of guessing the plaintext value (non-complex passwords). The software generates hash values from a dictionary of plaintexts to try to match one to a captured hash.
Rainbow table attacks refine the dictionary approach. The attacker uses a precomputed lookup table of all possible passwords and their matching hashes and looks up the hash value of a stored password in the table to discover the plaintext.
A retail establishment experiences an attack where whole number values have been exploited. As a result, some credit values are manipulated from positive values to negative values. Which type of attack is the establishment dealing with?
Integer overflow
Buffer overflow
Stack overflow
Race condition
A
An integer overflow attack causes the target software to calculate a value that exceeds these bounds. This may cause a positive number to become negative.
A buffer is an area of memory that the application reserves to store expected data. To exploit a buffer overflow vulnerability, the attacker passes data that deliberately overfills the buffer.
A stack is an area of memory used by a program. It includes a return address, which is the location of the program that called the subroutine. An attacker could use a buffer overflow to change the return address.
Race conditions occur when the outcome from an execution process is directly dependent on the order and timing of certain events, and those events fail.
An attacker compromises a confidential database at a retailer. Investigators discover that unauthorized ad hoc changes to the system were to blame. How do the investigators describe the actor vector in a follow-up report? (Select all that apply.)
Configuration drift
Weak configuration
Lack of security controls
Shadow IT
AD
Configuration drift happens when malware exploits an undocumented configuration change on a system.
Shadow IT occurs when software or an unauthorized service/port reapply the baseline configuration and investigate configuration management procedures to prevent this type of ad hoc change.
Weak configuration occurs when a configuration was correctly applied but was exploited anyway. Review the template to devise more secure settings.
A lack of security control is likely to happen if an attack could have been prevented by endpoint protection or antivirus, a host firewall, content filtering policies, data loss prevention systems, or a mobile device management program.
P488
Configuration drift—if the malware exploited an undocumented configuration
change (shadow IT software or an unauthorized service/port, for instance), reapply
the baseline configuration and investigate configuration management procedures
to prevent this type of ad hoc change.
An unauthorized person gains access to a restricted area by claiming to be a member of upper management and bullying past the door guard’s verbal attempts to stop the unauthorized visitor. What type of policy could help mitigate this type of social engineering attack?
Challenge policy
ID badge policy
Mantrap policy
Skimming policy
A
One of the most important parts of surveillance is the challenge policy, which details appropriate responses for given situations and helps to defeat social engineering attacks. Challenge policies may include insisting that individuals complete proper authentication at gateways, even if this means inconveniencing staff members (no matter their seniority).
Anyone moving through secure areas of a building should be wearing an ID badge; anyone without an ID badge security should challenge them.
A mantrap is a physical security control used for critical assets, where one gateway leads to an enclosed space protected by another barrier.
Skimming involves the use of a counterfeit card reader to capture card details, which are then used to program a duplicate.
p556
Reception Personnel and ID Badges
One of the most important parts of surveillance is the challenge policy. This sets out what type of response is appropriate in given situations and helps to defeat social engineering attacks. This must be communicated to and understood by the staff. Challenges represent a whole range of different contact situations. For example:
• Challenging visitors who do not have ID badges or are moving about unaccompanied.
• Insisting that proper authentication is completed at gateways, even if this means inconveniencing staff members (no matter their seniority).
• Intruders and/or security guards may be armed.
The safety of staff and compliance with local laws has to be balanced against the imperative to protect the company’s other resources. It is much easier for employees to use secure behavior in these situations if they know that their actions are conforming to a standard of behavior that has been agreed upon and is expected of them.
An attack at a company renders a network useless after a switch is impacted. Engineers review network traffic and determine that the switch is behaving like a hub. What do the engineers conclude is happening? (Select all that apply.)
The switch’s memory is exhausted.
The switch is flooding unicast traffic.
The switch MAC table has invalid entries.
The switch is using MAC-based forwarding.
AB
MAC flooding is used to attack a switch. The intention of the attack is to exhaust the memory used to store the switch’s MAC address table.
Overwhelming the switch’s MAC table can cause the switch to stop trying to apply MAC-based forwarding and flood unicast traffic out of all ports.
If the switch has invalid entries, it would need to build a new MAC table. It would not be flooding traffic out all ports.
The switch uses the MAC address table to determine which port to use to forward unicast traffic to its correct destination.
P238
MAC Flooding Attacks Where ARP poisoning is directed at hosts, MAC floodingis used to attack a switch. The intention of the attacker is to exhaust the memory used to store the switch’s MAC address table. The switch uses the MAC address tableto determine which port to use to forward unicast traffic to its correct destination. Overwhelming the table can cause the switch to stop trying to apply MAC-based forwarding and flood unicast traffic out of all ports, working as a hub. This makes sniffing network traffic easier for the threat actor.
After several users call to report dropped network connections on a local wireless network, a security analyst scans network logs and discovers that multiple unauthorized devices were connecting to the network and overwhelming it via a smartphone tethered to the network, which provided a backdoor for unauthorized access. How would this device be classified?
A switched port analyzer (SPAN)/mirror port
A spectrum analyzer
A rogue access point (AP)
A thin wireless access point (WAP)
C
With a SPAN port, the sensor attaches to a specially configured port on the switch that receives copies of frames addressed to nominated access ports (or all the other ports).
A spectrum analyzer is a device that can detect the source of jamming (interference) on a wireless network.
A malicious user can set up an unauthorized (rogue) access point with something as basic as a smartphone with tethering capabilities, and non-malicious users could do so by accident.
An access point that requires a wireless controller to function is known as a thin WAP, while a fat WAP’s firmware contains enough processing logic to be able to function autonomously and handle clients without the use of a wireless controller.
P253
An engineer pieces together the clues from an attack that temporarily disabled a critical web server. The engineer determines that a SYN flood attack was the cause. Which pieces of evidence led the engineer to this conclusion? (Select all that apply.)
ACK packets were held by the server
SYN/ACK packets were misdirected from the client
ACK packets were missing from the client
SYN/ACK packets from the server were misdirected
CD
A SYN flood attack works by withholding the client’s ACK packet during TCP’s three-way handshake.
In a SYN attack, the SYN/ACK packets are not misdirected from the client since the client is the attacker. Packets are misdirected from the server since the attacker is a spoofed client.
Typically a client’s IP address is spoofed in a SYN attack, meaning that an invalid or random IP is entered so the server’s SYN/ACK packet can be misdirected.
In a SYN attack, the three-way handshake is compromised. The client’s ACK packet is held, not the SYN packet.
P257
Some types of DDoS attacks simply aim to consume network bandwidth, denying it to legitimate hosts, by using overwhelming numbers of bots. Others cause resource exhaustion on the hosts’ processing requests, consuming CPU cycles and memory. This delays processing of legitimate traffic and could potentially crash the host system completely. For example, a SYN flood attackworks by withholding the client’s ACK packet during TCP’s three-way handshake. Typically the client’s IP address is spoofed, meaning that an invalid or random IP is entered so the server’s SYN/ACK packet is misdirected. A server, router, or firewall can maintain a queue of pending connections, recorded in its state table. When it does not receive an ACK packet from the client, it resends the SYN/ACK packet a set number of times before timing out the connection. The problem is that a server may only be able to manage a limited number of pending connections, which the DoS attack quickly fills up. This means that the server is unable to respond to genuine traffic.
The IT staff at a large company review numerous security logs and discover that the SAM database on Windows workstations is being accessed by a malicious process. What does the staff determine the issue to be?
Shellcode
Persistence
Credential dumping
Lateral movement
C
Credential dumping is a method used to access the credentials file (SAM on a local Windows workstation) or sniff credentials held in memory by the lsass.exe system process.
Shellcode is a minimal program designed to exploit a buffer overflow or similar vulnerability to gain privileges to a system.
Persistence is a mechanism that maintains a connection if the threat actor’s backdoor is restarted, if the host reboots, or if the user logs off.
With lateral movement, the attacker might be seeking data assets or may try to widen access by changing the system security configuration.
P404
A junior engineer suspects there is a breached system based on an alert received from a software monitor. The use of the alert provides which information to the engineer?
TTP
CTI
IoC
ISAC
An indicator of compromise (IoC) is a residual sign that an asset or network has been successfully attacked or is continuing to be attacked and provides evidence of a TTP.
A tactic, technique, or procedure (TTP) is a generalized statement of adversary behavior. TTPs categorize behaviors in terms of a campaign strategy.
Threat data can be packaged as feeds that integrate with a security information and event management (SIEM) platform. These feeds are usually described as cyber threat intelligence (CTI) data.
Public/private information sharing centers are utilized in many critical industries. Information Sharing and Analysis Centers (ISAC) are set up to share threat intelligence and promote best practices.
P650
IoC (indicator of compromise)A sign that an asset or network has been attacked or is currently under attack.
P38
Tactics, Techniques, and Procedures and Indicators of Compromise A tactic, technique, or procedure (TTP)is a generalized statement of adversary behavior. The term is derived from US military doctrine (mwi.usma.edu/what-is-armydoctrine).
TTPs categorize behaviors in terms of campaign strategy and approach (tactics), generalized attack vectors (techniques), and specific intrusion tools and methods (procedures).
An indicator of compromise (IoC)is a residual sign that an asset or network has been successfully attacked or is continuing to be attacked.
Put another way, an IoC is evidence of a TTP. TTPs describe what and how an adversary acts and Indicators describe how to recognize what those actions might look like.(stixproject.github.io/documentation/concepts/ ttp-vs-indicator) As there are many different targets and vectors of an attack, so too are there many different potential IoCs. The following is a list of some IoCs that you may encounter:
• Unauthorized software and files
• Suspicious emails
• Suspicious registry and file system changes
• Unknown port and protocol usage
• Excessive bandwidth usage
• Rogue hardware
• Service disruption and defacement
• Suspicious or unauthorized account usage
An IoC can be definite and objectively identifiable, like a malware signature, but often IoCs can only be described with confidence via the correlation of many data points. Because these IoCs are often identified through patterns of anomalous activity rather than single events, they can be open to interpretation and therefore slow to diagnose. Consequently, threat intelligence platforms use AI-backed analysis to speed up detection without overwhelming analysts’ time with false positives.
An engineer routinely provides data to a source that compiles threat intelligence information. The engineer focuses on behavioral threat research. Which information does the engineer provide?
IP addresses associated with malicious behavior
Descriptions of example attacks
Correlation of events observed with known actor indicators
Data available as a paid subscription
B
Behavioral threat research is narrative commentary describing examples of attacks and TTPs gathered through primary research sources.
Reputational threat intelligence includes lists of IP addresses and domains associated with malicious behavior, plus signatures of known file-based malware.
Threat data is computer data that can correlate events observed on a customer’s own networks and logs with known TTP and threat actor indicators.
Data that is part of a closed/proprietary system is made available as a paid subscription to a commercial threat intelligence platform. There is no mention of a subscription model in this case.
P36
Threat Intelligence Providers
The outputs from the primary research undertaken by security solutions providers and academics can take three main forms:
• Behavioral threat research—narrative commentary describing examples of attacks and TTPs gathered through primary research sources.
• Reputational threat intelligence—lists of IP addresses and domains associated with malicious behavior, plus signatures of known file-based malware.
• Threat data—computer data that can correlate events observed on a customer’s own networks and logs with known TTP and threat actor indicators.
An actor penetrates a system and uses IP spoofing to reroute information to a fraudulent host. Which method does the actor utilize for this purpose?
Data exfiltration
Data breach
Privacy breach
Data leak
A
Data exfiltration refers to the methods and tools by which an attacker transfers data without authorization from the victim’s systems to an external network or media.
A data breach event is where confidential data is read or transferred without authorization. A breach can be intentional/malicious or unintentional/accidental.
A privacy breach occurs when personal data is not collected, stored, or processed in full compliance with the laws or regulations governing personal information.
A breach can also be described as a data leak and is where confidential data is read or transferred without authorization.
An organization hires a pen tester. The tester achieves a connection to a perimeter server. Which technique allows the tester to bypass a network boundary from this advantage?
Persistence
Privilege escalation
Pivoting
Lateral movement
C
If the pen tester achieves a foothold on a perimeter server, a pivot allows them to bypass a network boundary and compromise servers on an inside network.
Persistence is the tester’s ability to reconnect to the compromised host and use it as a remote access tool (RAT) or backdoor.
A pen tester uses privilege escalation in attempts to map out the internal network and discover the services running on it and the accounts configured to access it.
Lateral movement is the action of gaining control over other hosts. This is done partly to discover more opportunities to widen access, partly to identify where valuable data assets might be located, and partly to evade detection.
P80
Pen Test Attack Life Cycle
In the kill chain attack life cycle, reconnaissance is followed by an initial exploitation phase where a software tool is used to gain some sort of access to the target’s network.
This foothold might be accomplished using a phishing email and payload or by obtaining credentials via social engineering.
Having gained the foothold, the pen tester can then set about securing and widening access.
A number of techniques are required:
• Persistence—the tester’s ability to reconnect to the compromised host and use it as a remote access tool (RAT) or backdoor. To do this, the tester must establish a command and control (C2 or C&C) network to use to control the compromised host, upload additional attack tools, and download exfiltrated data. The connection to the compromised host will typically require a malware executable to run after shut down/log off events and a connection to a network port and the attacker’s IP address to be available.
• Privilege escalation—persistence is followed by further reconnaissance, where the pen tester attempts to map out the internal network and discover the services running on it and accounts configured to access it. Moving within the network or accessing data assets are likely to require higher privilege levels. For example, the original malware may have run with local administrator privileges on a client workstation or as the Apache user on a web server. Another exploit might allow malware to execute with system/root privileges, or to use network administrator privileges on other hosts, such as application servers.
• Lateral movement—gaining control over other hosts. This is done partly to discover more opportunities to widen access (harvesting credentials, detecting software vulnerabilities, and gathering other such “loot”), partly to identify where valuable data assets might be located, and partly to evade detection. Lateral movement usually involves executing the attack tools over remote process shares or using scripting tools, such as PowerShell.
• Pivoting—hosts that hold the most valuable data are not normally able to access external networks directly. If the pen tester achieves a foothold on a perimeter server, a pivot allows them to bypass a network boundary and compromise servers on an inside network. A pivot is normally accomplished using remote access and tunneling protocols, such as Secure Shell (SSH), virtual private networking (VPN), or remote desktop.
• Actions on Objectives—for a threat actor, this means stealing data from one or more systems (data exfiltration). From the perspective of a pen tester, it would be a matter of the scope definition whether this would be attempted. In most cases, it is usually sufficient to show that actions on objectives could be achieved.
• Cleanup—for a threat actor, this means removing evidence of the attack, or at least evidence that could implicate the threat actor. For a pen tester, this phase means removing any backdoors or tools and ensuring that the system is not less secure than the pre-engagement state.
An organization requires that a file transfer occurs on a nightly basis from an internal system to a third-party server. IT for both organizations agree on using FTPS. Which configurations does IT need to put in place for proper file transfers? (Select all that apply.)
Configure the use of port 990
Configure the use of port 22
Negotiate a tunnel prior to any exchanged commands
Using Secure Shell (SSH) between client and server
Implicit TLS (FTPS) mode FTPS is tricky to configure when there are firewalls between the client and server, and it uses the secure port 990 for the control connection.
Implicit TLS (FTPS) negotiates an SSL/TLS tunnel before the exchange of any FTP commands.
SSH FTP (SFTP) uses a secure link that is created between the client and server using Secure Shell (SSH) over TCP port 22.
With SFTP, which uses SSH, a secure link is created between the client and server. Ordinary FTP commands and data transfer can then be sent over the secure link without risk of eavesdropping or man-in-the-middle attacks.
An administrator provisions both a new cloud-based virtual server and an on-premises virtual server. Compare the possible virtualization layer responsibilities for the implementation and determine which one applies to this configuration.
CSP is responsible for the cloud, the administrator is responsible for the on-premise.
CSP is responsible for the cloud, the CSP is responsible for the on-premise.
The administrator is responsible for the cloud, the administrator is responsible for the on-premise.
The administrator is responsible for the cloud, the CSP is responsible for the on-premise.
A
The virtualization layer is the underlying layer that provides virtualization capabilities such as a virtual server. The CSP is responsible for this in the cloud. An on-premise installation is the responsibility of the administrator.
The CSP is responsible for the cloud, such as in an IaaS or PaaS implementation, but the administrator is responsible for the on-premise installation.
The administrator is only responsible for the on-premise installation. This underlying virtualization platform might be a Windows Hyper-V server for example.
The Cloud Service Provider (CSP) would be responsible for the platform that the administrator utilizes to create a virtual machine.
P420Matrix
under virtualization layer all CSP
Consider an abstract model of network functions for an infrastructure as code (IaC) implementation and determine which plane describes how traffic is prioritized.
Data
Management
Control
Application
C
The control plane makes decisions about how traffic should be prioritized, secured, and switched. A software-defined networking (SDN) application can be used to define policy decisions.
The data plane handles the actual switching and routing of traffic and imposition of security access controls. Decisions made in the control plane are implemented on the data plane.
The management plane is used to monitor traffic conditions and network status. SDN can be used to manage compatible physical appliances, but also virtual switches, routers, and firewalls.
Applications interface with network devices by using APIs. The interface between the SDN applications and the SDN controller is described as the “northbound” API, while that between the controller and appliances is the “southbound” API.
P442
Software-Defined Networking
IaC is partly facilitated by physical and virtual network appliances that are fully configurable via scripting and APIs.
As networks become more complex—perhaps involving thousands of physical and virtual computers and appliances—it becomes more difficult to implement network policies, such as ensuring security and managing traffic flow. With so many devices to configure, it is better to take a step back and consider an abstracted model about how the network functions. In this model, network functions can be divided into three “planes”:
• Control plane—makes decisions about how traffic should be prioritized and secured, and where it should be switched.
• Data plane—handles the actual switching and routing of traffic and imposition of security access controls.
• Management plane—monitors traffic conditions and network status.
A software-defined networking (SDN)application can be used to define policy decisions on the control plane. These decisions are then implemented on the data plane by a network controller application, which interfaces with the network devices using APIs. The interface between the SDN applications and the SDN controller is described as the “northbound” API, while that between the controller and appliances is the “southbound” API. SDN can be used to manage compatible physical appliances, but also virtual switches, routers, and firewalls. The architecture supporting rapid deployment of virtual networking using general-purpose VMs and containers is called network functions virtualization (NFV)(redhat.com/en/ topics/virtualization/what-is-nfv). This architecture saves network and security administrators the job and complexity of configuring each appliance with proper settings to enforce the desired policy. It also allows for fully automated deployment (or provisioning) of network links, appliances, and servers. This makes SDN an important part of the latest automation and orchestration technologies.
Compare the components found in a virtual platform and select the options that accurately differentiate between them. (Select all that apply.)
Hypervisors are Virtual Machine Monitors (VMM) and guest operating systems are Virtual Machines (VM).
Hypervisors facilitate interactions with the computer hardware and computers are the platform that hosts the virtual environment.
Computers are the operating systems that are installed under the virtual environment and guest operating systems are the platform that host the virtual environment.
Hypervisors are operating systems and computers are the platform that hosts the virtual environment.
AB
Hypervisors are the Virtual Machine Monitor (VMM) and guest operating systems are the Virtual Machines (VM) found within the virtual platform.
Hypervisors manage the virtual machine environment and facilitate interaction with the computer hardware and network. The computer component is the platform that hosts the virtual environment. Multiple computers may also be networked together.
Computers are the platform of the virtual environment and guest operating systems are the operating systems installed under the virtual environment.
Guest operating systems are the operating systems installed under the virtual environment and computers are platform that hosts the virtual environment.
After a company moves on-premise systems to the cloud, engineers devise to use a serverless approach in a future deployment. What type of architecture will engineers provision in this deployment? (Select all that apply.)
Virtual machine
Physical server
Containers
Microservices
CD
When a client requires some operation to be processed in a serverless environment, the cloud spins up a container to run the code, performs the processing, and then destroys the container.
With serverless technologies, applications are developed as functions and microservices, each interacting with other functions to facilitate client requests.
A virtual machine or VM is a fully operational operating system functioning as a guest instance on a physical host.
A physical machine or server is a fully operational operating system that functions on a physical host system and is not dependent on any virtual technology.
Based on knowledge of identity and authentication concepts, select the true statement.
A user profile must be unique.
Credentials could include name, contact details, and group memberships.
An identifier could be a username and password, or smart card and PIN code.
An account consists of an identifier, credentials, and a profile.
D
An account consists of an identifier, credentials, and a profile. An account identifies a user on a computer system.
An identifier must be unique, not a profile. This is accomplished by defining the account on the system by a Security Identifier (SID) string.
A profile, not credentials, could include name and contact details, as well as group memberships.
Credentials, not an identifier, could be a username and password or smart card and PIN code. This is the information used to authenticate a subject when it attempts user account access.
A guard station deploys a new security device for accessing a classified data station. The installation tech tests the device’s improvements for speed and pressure. Which behavioral technology does the tech test?
Voice recognition
Gait analysis
Typing
Signature recognition
D
Signatures are relatively easy to duplicate, but it is more difficult to fake the actual signing process. Signature matching records the user applying their signature (stroke, speed, and pressure of the stylus).
Voice recognition is relatively cheap, as the hardware and software required are built into many standard PCs and mobiles. However, obtaining an accurate template can be difficult and time-consuming.
Gait analysis produces a template from human movement (locomotion). The technologies can either be camera-based or use smartphone features, such as an accelerometer and gyroscope.
Typing is used to match the speed and pattern of a user’s input of a passphrase.
P185
• Voice recognition—relatively cheap, as the hardware and software required are built into many standard PCs and mobiles. However, obtaining an accurate template can be difficult and time-consuming. Background noise and other environmental factors can also interfere with logon. Voice is also subject to impersonation.
• Gait analysis—produces a template from human movement (locomotion). The technologies can either be camera-based or use smartphone features, such as an accelerometer and gyroscope.
• Signature recognition—signatures are relatively easy to duplicate, but it is more difficult to fake the actual signing process. Signature matching records the user
applying their signature (stroke, speed, and pressure of the stylus).
• Typing—matches the speed and pattern of a user’s input of a passphrase.
An organization considers installing fingerprint scanners at a busy entry control point to a secure area. What concerns might arise with the use of this technology? (Select all that apply.).
Fingerprint scanning is relatively easy to spoof.
Installing equipment is cost-prohibitive.
Surfaces must be clean and dry.
The scan is highly intrusive.
AC
The main problem with fingerprint scanners is that it is possible to obtain a copy of a user’s fingerprint and create a mold of it that will fool the scanner.
The technology required for scanning and recording fingerprints is relatively inexpensive, and the process quite straightforward. A fingerprint sensor is usually a small capacitive cell that can detect the unique pattern of ridges making up the pattern.
Moisture or dirt can prevent good readings, so facilities using fingerprint scanners must keep readers clean and dry, which can prove challenging in high throughput areas.
Fingerprint technology is non-intrusive and relatively simple to use.
An administrator plans a backup and recovery implementation for a server. The goal is to have a full backup every Sunday followed by backups that only include changes every other day of the week. In the event of a catastrophe, the restore time needs to be as quick as possible. Which scheme does the administrator use?
Full followed by incrementals
Image followed by incrementals
Full followed by differentials
Snapshot followed by differentials
C
A full backup includes data regardless of its last backup time. A differential backup includes new and modified files since the last backup. A differential restore is quicker than an incremental.
A full backup includes data regardless of its last backup time. An incremental backup includes new and modified files since the last backup. A restore can be time consuming based on the number of sets involved.
An image is not a backup type in a backup scheme, but is a disk imaging process. An incremental backup includes new files and files modified since the last backup.
A snapshot is a method to backup open files. A differential backup includes new and modified files since the last full backup.
A security specialist reviews an open data closet and discovers areas for improvement. Most notable is the exposed connectivity media. Which concerns does the specialist have regarding the need for better security? (Select all that apply.)
Eavesdropping
Speed
Damage
Length
AC
A physically secure cabled network is referred to as a protected distribution system (PDS). This method of cable installation can deter eavesdropping.
A hardened PDS is one where all cabling is routed through sealed metal conduit. This type of enclosure protects the cabling from accidental or intentional damage.
The speed, or throughput, of a network cable is dependent on the type of cable such as Cat5 versus Cat6. The cable speed is typical based on the number of twists inside the cable and is not a security concern.
The length of a network cable is dependent on the type of cable such as Cat5 versus Cat6. The cable length dictates how far signal can travel and is not a security concern.
P560
Protected Distribution and Faraday Cages
A physically secure cabled network is referred to as protected cable distribution or as a protected distribution system (PDS). There are two principal risks:
• An intruder could attach eavesdropping equipment to the cable (a tap).
• An intruder could cut the cable (Denial of Service).
A hardened PDS is one where all cabling is routed through sealed metal conduit and subject to periodic visual inspection. Lower-grade options are to use different materials for the conduit (plastic, for instance). Another option is to install an alarm system within the cable conduit, so that intrusions can be detected automatically. It is possible to install communications equipment within a shielded enclosure, known as a Faraday Cage. The cage is a charged conductive mesh that blocks signals from entering or leaving the area. The risk of eavesdropping from leakage of electromagnetic signals was investigated by the US DoD who defined TEMPEST (Transient Electromagnetic Pulse Emanation Standard) as a means of shieldingthe signals.
Systems administrators configure an application suite that uses a collection of single hash functions and symmetric ciphers to protect sensitive communication. While the suite uses these security features collectively, how is each instance recognized?
As non-repudiation
As a cryptographic system
As a cryptographic primitive
As a key pair
C
A single hash function, symmetric cipher, or asymmetric cipher is called a cryptographic primitive. The properties of different symmetric/asymmetric/hash types and of specific ciphers for each type impose limitations when used alone.
Non-repudiation depends on a recipient not being able to encrypt the message, or the recipient would be able to impersonate the sender.
A complete cryptographic system or product is likely to use multiple cryptographic primitives, such as within a cipher suite.
To use a key pair, the user or server generates the linked keys. These keys are an example of a cryptographic primitive that uses a symmetric cipher.
P121
A single hash function, symmetric cipher, or asymmetric cipher is called a cryptographic primitive. A complete cryptographic system or product is likely to use multiple cryptographic primitives, such as within a cipher suite.
The properties of different symmetric/asymmetric/hash types and of specific ciphers for each type impose limitations on their use in different contexts and for different purposes. If you are able to encrypt a message in a particular way, it follows that the recipient of the message knows with whom he or she is communicating (that is, the sender is authenticated). This means that encryption can form the basis of identification, authentication, and access control systems.
An engineer considers blockchain as a solution for record-keeping. During planning, which properties of blockchain does the engineer document for implementation? (Select all that apply.)
Using a peer-to-peer network
Obscuring the presence of a message
Partially encrypting data
Using cryptographic linking
AD
Blockchain is recorded in a public ledger. This ledger does not exist as an individual file on a single computer; rather, it is distributed across a peer-to-peer (P2P) network.
The hash value of a previous block in a chain is added to the hash calculation of the next block in the chain. This ensures that each successive block is cryptographically linked.
Steganography is a technique for obscuring the presence of a message. Typically, information is embedded where it is not expected.
Homomorphic encryption is a solution that allows an entity to use information in particular fields within the data while keeping the data set as a whole encrypted.
P131
Blockchainis a concept in which an expanding list of transactional records is secured using cryptography. Each record is referred to as a blockand is run through a hash function. The hash value of the previous block in the chain is added to the hash calculation of the next block in the chain. This ensures that each successive block is cryptographically linked. Each block validates the hash of the previous block, all the way through to the beginning of the chain, ensuring that each historical transaction has not been tampered with. In addition, each block typically includes a timestamp of one or more transactions, as well as the data involved in the transactions themselves.
The blockchain is recorded in a public ledger. This ledger does not exist as an individual file on a single computer; rather, one of the most important characteristics of a blockchain is that it is decentralized. The ledger is distributed across a peer-to-peer (P2P) network in order to mitigate the risks associated with having a single point of failure or compromise. Blockchain users can therefore trust each other equally. Likewise, another defining quality of a blockchain is its openness—everyone has the same ability to view every transaction on a blockchain.
Blockchain technology has a variety of potential applications. It can ensure the integrity and transparency of financial transactions, online voting systems, identity management systems, notarization, data storage, and more. However, blockchain is still an emerging technology, and outside of cryptocurrencies, has not yet been adopted on a wideranging scale.
A new systems administrator at an organization has a difficult time understanding some of the configurations from the previous IT staff. It appears many shortcuts were taken to keep systems running and users happy. Which weakness does the administrator report this configuration as?
Complex dependencies
Overdependence on perimeter security
Availability over confidentiality and integrity
Single points of failure
C
Availability over confidentiality and integrity is often presented by taking “shortcuts” to get a service up and running. Compromising security might represent a quick fix but creates long term risks.
Complex dependencies may include services that require many different systems to be available. Ideally, the failure of individual systems or services should not affect the overall performance of other network services.
Overdependence on perimeter security can occur if the network architecture is “flat.” Penetrating the network edge gives the attacker freedom of movement.
A single point of failure is a “pinch point” in a network that may rely on a single hardware server or appliance.
P236
Secure Network Designs
A secure network design provisions the assets and services underpinning business workflows with the properties of confidentiality, integrity, and availability. Weaknesses in the network architecture make it more susceptible to undetected intrusions or to catastrophic service failures. Typical weaknesses include:
• Single points of failure—a “pinch point” relying on a single hardware server or appliance or network channel.
• Complex dependencies—services that require many different systems to be available. Ideally, the failure of individual systems or services should not affect the overall performance of other network services.
• Availability over confidentiality and integrity—often it is tempting to take “shortcuts” to get a service up and running. Compromising security might represent a quick fix but creates long term risks.
• Lack of documentation and change control—network segments, appliances, and services might be added without proper change control procedures, leading to a lack of visibility into how the network is constituted. It is vital that network managers understand business workflows and the network services that underpin them.
• Overdependence on perimeter security—if the network architecture is “flat” (that is, if any host can contact any other host), penetrating the network edge gives the attacker freedom of movement.
An engineer configures a proxy to control access to online content for all users in an organization. Which proxy type does the engineer implement by using an inline network appliance? (Select all that apply.)
Non-transparent
Transparent
Intercepting
Application
BC
A transparent proxy must be implemented on a switch, router, or other inline network appliance.
An intercepting proxy (known as a transparent proxy) is configured to intercept client traffic without the client having to be reconfigured.
A non-transparent proxy configuration means that the client must be configured with the proxy server address and port number to use it.
Proxy servers can be application-specific; others are multipurpose. A multipurpose proxy is one configured with filters for multiple protocol types. In this case, the target is not a specific application.
P271
A proxy server must understand the application it is servicing. For example, a web proxy must be able to parse and modify HTTP and HTTPS commands (and potentially HTML and scripts too). Some proxy servers are application-specific; others are multipurpose. A multipurpose proxy is one configured with filters for multiple protocol types, such as HTTP, FTP, and SMTP. Proxy servers can generally be classed as non-transparent or transparent.
• A non-transparent proxymeans that the client must be configured with the proxy server address and port number to use it. The port on which the proxy server accepts client connections is often configured as port 8080.auto
• A transparent (or forced or intercepting) proxyintercepts client traffic without the client having to be reconfigured. A transparent proxy must be implemented on a switch or router or other inline network appliance.
Analyze the following statements and select the one that describes key differences between internet protocol security (IPSec) modes.
Transport mode allows communication between virtual private networks (VPNs), while tunnel mode secures communications between hosts on a private network.
Authentication Header (AH) mode does not provide confidentiality, as the payload is not encrypted. Encapsulation Security Payload (ESP) mode provides confidentiality and/or authentication and integrity.
Tunnel mode allows communication between virtual private networks (VPNs), while transport mode secures communications between hosts on a private network.
Encapsulation Security Payload (ESP) mode does not provide confidentiality, as the payload is not encrypted. Authentication Header (AH) mode provides confidentiality and/or authentication and integrity.
C
Tunnel mode, also called router implementation, creates a virtual private network (VPN), allowing communications between VPN gateways across an unsecure network.
Transport mode secures communications between hosts on a private network (an end-to-end implementation).
The AH protocol authenticates the origin of transmitted data and provides integrity and protection against replay attacks. The payload is not encrypted, so this protocol does not provide confidentiality.
ESP is an IPSec sub-protocol that enables encryption and authentication of a data packet’s header and payload. Encapsulation Security Payload (ESP) provides confidentiality and/or authentication and integrity, and can be used to encrypt the packet.
P316
IPSec can be used in two modes:
• Transport mode—this mode is used to secure communications between hosts on a private network (an end-to-end implementation). When ESP is applied in transport mode, the IP header for each packet is not encrypted, just the payload data. If AH is used in transport mode, it can provide integrity for the IP header.
• Tunnel mode—this mode is used for communications between VPN gateways across an unsecure network (creating a VPN). This is also referred to as a router implementation. With ESP, the whole IP packet (header and payload) is encrypted and encapsulated as a datagram with a new IP header. AH has no real use case in tunnel mode, as confidentiality will usually be required.
An organization installs embedded system throughout a manufacturing plant. When planning the install, engineers had to consider system constraints related to identification. As a result, which areas of the main systems are impacted? (Select all that apply.)
Compute
Network
Crypto
Authentication
CD(因為這個題目在問跟認證有關的選項)
The lack of compute resources means that embedded systems are not well-matched to the cryptographic identification technologies that are widely used on computer networks.
As embedded systems become more accessible, they will need to use authentication technologies to ensure consistent confidentiality, integrity, and availability.
Due to their size, embedded systems are usually constrained in terms of processor capability (cores and speed), system memory, and persistent storage.
Networks for embedded systems emphasize the power-efficient transfer of small amounts of data with a high degree of reliability and low latency.
P341
Identify the true statements about supervisory control and data acquisition (SCADA) systems. (Select all that apply.)
SCADA systems typically communicate with one another through LAN connections.
SCADA systems typically run as software on ordinary computers, gathering data from and managing field devices.
SCADA systems are purpose-built devices that prioritize IT security features.
SCADA systems serve primarily industrial, manufacturing, utility, and logistics sectors.
BD
SCADA typically runs as software on ordinary computers, gathering data from and managing plant devices and equipment, with embedded PLCs, referred to as field devices.
Many sectors of industry, including utilities, industrial processing, fabrication and manufacturing, logistics, and facilities management use these types of systems.
SCADA typically use WAN communications, such as cellular or satellite, to link the SCADA server to field devices.
ICS/SCADA was historically built without regard to IT security, though there is now high awareness of the necessity of enforcing security controls to protect them, especially when they operate in a networked environment.
P344
An engineering firm provisions microwave technology for a wide area communications project. When using point-to-multipoint (P2M) mode, which technologies does the firm put in place? (Select all that apply.)
Directional antennas
Sectoral antennas
Multiple sites connected to a single hub
High gain link between two sites
BC
Point-to-multipoint (P2M) microwave links multiple sites and uses smaller sectoral antennas than P2P, each covering a separate quadrant.
P2M links multiple sites or subscriber nodes to a single hub. This can be more cost-efficient in high density urban areas and requires less radio spectrum.
A high gain connection means that the antennas used between sites are highly directional. Each antenna is pointed directly at the other.
Point-to-point (P2P) microwave uses high gain antennas to link two sites. The satellite modems or routers are also normally paired to one another.
P372
Point-to-multipoint (P2M)microwave uses smaller sectoral antennas, each covering a separate quadrant. Where P2P is between two sites, P2M links multiple sites or subscriber nodes to a single hub. This can be more cost-efficient in high density urban areas and requires less radio spectrum. Each subscriber node is distinguished by multiplexing. Because of the higher risk of signal interception compared to P2P, it is crucial that links be protected by over-the-air encryption.
A company follows a bring your own device (BYOD) mobile implementation. What is an ideal solution the company can use to overcome some of the security risks involved with employee-supplied devices?
Virtual desktop infrastructure (VDI)
Location services
Remote wipe
Carrier unlocking
A
Virtual desktop infrastructure (VDI) means provisioning an OS desktop to interchangeable hardware. The hardware only has to be capable of running a VDI client viewer or have a browser support a clientless HTML5 solution. Each time a user accesses VDI, the session is “as new” and employees can remotely access it.
Location services alone represent a security risk. Location services can use geo-fencing to enforce context-aware authentication based on the device’s location.
If a malicious actor steals a user’s device using a remote wipe (kill switch), it can reset the device to factory defaults or clear personal data (sanitization).
Carrier unlocking involves the removal of restrictions that lock a device to a single carrier and uses it for privilege escalation.
P423
Virtual desktop infrastructure (VDI)refers to using a VM as a means of provisioning corporate desktops. In a typical VDI, desktop computers are replaced by low-spec, low-power thin client computers. When the thin client starts, it boots a minimal OS, allowing the user to log on to a VM stored on the company server infrastructure. The user makes a connection to the VM using some sort of remote desktop protocol (Microsoft Remote Desktop or Citrix ICA, for instance). The thin client has to find the correct image and use an appropriate authentication mechanism. There may be a 1:1 mapping based on machine name or IP address or the process of finding an image may be handled by a connection broker.
P623
Virtual Desktop Infrastructure (VDI) allows a client device to access a VM. In this scenario, the mobile device is the client device. Corporate data is stored and processed on the VM so there is less chance of it being compromised, even though the client device itself is not fully managed
A cloud engineer configures a virtual private cloud. While trying to create a public subnet, the engineer experiences difficulties. The issue is that the subnet remains private, while the goal is to have a public subnet. What does the engineer conclude the problem might be?
The Internet gateway is configured as the default route.
The Internet gateway is not configured as the default route.
The Internet gateway uses 1:1 network address translation.
The Internet gateway does not use 1:1 network address translation.
B
To configure a public subnet, first an Internet gateway (virtual router) must be attached to the VPC configuration. Secondly, the Internet gateway must be configured as the default route for each public subnet.
After a VPC has a virtual router attached, a gateway is set as a default route. If an Internet gateway is not assigned as a default route, the subnet is private.
Each instance in a public subnet is configured with a public IP in its cloud profile. The Internet gateway performs 1:1 network address translation (NAT) to route Internet communications to and from the instance.
Typically, the virtual Internet gateway performs 1:1 network address translation (NAT) to route Internet communications to and from the instance. One-to-many is another NAT approach.
P433
Virtual Private Clouds (VPCs)
Each customer can create one or more virtual private clouds (VPCs)attached to their account. By default, a VPC is isolated from other CSP accounts and from other VPCs operating in the same account. This means that customer A cannot view traffic passing over customer B’s VPC. The workload for each VPC is isolated from other VPCs. Within the VPC, the cloud consumer can assign an IPv4 CIDR block and configure one or more subnets within that block. Optionally, an IPv6 CIDR block can be assigned also.
The following notes focus on features of networking in AWS. Other vendors support similar functionality, though sometimes with different terminology. For example, in Microsoft Azure, VPCs are referred to as virtual networks.
Public and Private Subnets
Each subnet within a VPC can either be private or public. To configure a public subnet, first an Internet gateway (virtual router) must be attached to the VPC configuration. Secondly, the Internet gateway must be configured as the default route for each public subnet. If a default route is not configured, the subnet remains private, even if an Internet gateway is attached to the VPC. Each instance in the subnet must also be configured with a public IP in its cloud profile. The Internet gateway performs 1:1 network address translation (NAT) to route Internet communications to and from the instance.
The instance network adapter is not configured with this public IP address. The instance’s NIC is configured with an IP address for the subnet. The public address is used by the virtualization management layer only. Public IP addresses can be assigned from your own pool or from a CSP-managed service, such as Amazon’s Elastic IP
A business is setting up new network devices. Compare the permissions allocated to each account and determine which type of account is most appropriate for the installation of device drivers.
Administrator/Root account
Administrator’s user account
Network service account
Local service account
A
The local system account creates the host processes that start Windows before the user logs on. Administrative or privileged accounts can install and remove apps and device drivers. Admin should prohibit superuser accounts from logging on in normal circumstances.
Admin should replace the default superuser with named accounts that have sufficient elevated privileges for a given job role. This ensures that admin can audit administrative activity and the system conforms to non-repudiation.
A network service account has the same privileges as the standard user account but can present the computer’s account credentials when accessing network resources.
A local service account has the same privileges as the standard user account. It can only access network resources as an anonymous user.
A user enters a card equipped with a secure processing chip into a reader and then enters a PIN for Kerberos authentication. What authentication method is described here? (Select all that apply.)
Trusted Platform Module (TPM) authentication
Smart-card authentication
Multifactor authentication
One-time password (OTP) token authentication
BC
Smart-card authentication means programming cryptographic information onto a card equipped with a secure processing chip. The chip stores the user’s digital certificate, the private key associated with the certificate, and a personal identification number (PIN) used to activate the card.
Strong, multifactor authentication (MFA) technology combines the use of more than one type of knowledge, ownership, and biometric factor.
A Trusted Platform Module (TPM) is a cryptoprocessor enclave implemented on a PC, laptop, smartphone, or network appliance. The TPM is usually a module within the CPU and can be used to present a virtual smart card.
A one-time password (OTP) is generated automatically, rather than being chosen by a user, and used only once.
Which of the following defines key usage with regard to standard extensions?
The purpose for which a certificate was issued
The ability to create a secure key pair
Configuring the security log to record key indicators
To archive a key with a third party
A
One of the most important standard extensions is key usage. This extension defines the purpose for issuing a digital certificate, such as for signing documents or key exchange.
The ability to create a secure key pair of the required strength using the chosen cipher is key generation, not key usage.
Configuring the security log to record key indicators and then reviewing the logs for suspicious activity is usage auditing, not key usage.
In terms of key management, escrow refers to archiving a key (or keys) with a third party. It is not key usage.
P140
A user enters the web address of a favorite site and the browser returns the following: “There is a problem with this website’s security certificate.” The user visits this website frequently and has never had a problem before. Applying knowledge of server certificates, select the circumstances that could cause this error message. (Select all that apply.)
The system’s time setting is incorrect.
The certificate is pinned.
The web address was mistyped.
The certificate expired.
AD
If the date and time settings on the system are not synchronized with the server’s setting, the server’s certificate will be rejected.
An expired server certificate would cause the browser to return an error message.
Certificate pinning ensures that when a client inspects the certificate presented by a server, it is inspecting the proper certificate. This is mostly done to prevent a Man-in-the-Middle attack and would not generate an error message.
A mistyped web address would not return an error message about the server certificate. It would return a message that the website could not be found.
A suspected network breach prompts an engineer to investigate. The engineer utilizes a set of command line tools to collect network routing data. While doing so, the engineer discovers that UDP communications is not working as expected. Which tool does the engineer experience difficulty with?
route
tracert
pathping
traceroute
The traceroute command performs route discovery from a Linux host. This command uses UDP probes rather than ICMP, by default.
The route command displays and modifies a system’s local routing table. This command does not collect network data.
The tracert command uses ICMP probes to report the round trip time (RTT) for hops between the local host and a host on a remote network. This command is a Windows based tool.
The pathping command is a Windows tool that provides statistics for latency and packet loss along a route over a measuring period.
There are a variety of methods for indicating a potential security breach during the identification and detection phase of incident response. Two examples are Intrusion Detection System (IDS) alerts and firewall alerts. Evaluate the following evidence and select the alternate methods that would be of most interest to the IT department during this phase. (Select all that apply.)
A daily industry newsletter reports on a new vulnerability in the software version that runs on the company’s server.
An anonymous employee uses an “out of band” communication method to report a suspected insider threat.
The marketing department contacts the IT department because they cannot post a company document to the company’s social media account.
An employee calls the help desk because the employee is working on a file and is unable to save it to a USB to work on at home.
AB
A media report of a newly discovered vulnerability in the version of software that’s currently running would be valuable information that should be addressed immediately.
A whistleblower with information about a potential insider threat would be worthy of pursuit. “Out of band” is an authenticated communications channel separate from the company’s primary channel.
If the marketing department is trying to post a document that has been identified as confidential data, the IT department would not be concerned since the company’s data loss prevention mechanisms are working.
If an employee is trying to save a document that has been identified as confidential data to USB and it fails, the IT department would not be concerned since the company’s data loss prevention mechanisms are working.
A response team has to balance the need for business continuity with the desire to preserve evidence when making incident management decisions. Consider the following and determine which would be an effective course of action for the goal of collecting and preserving evidence to pursue prosecution of the attacker(s)? (Select all that apply.)
Analysis
Quarantine
Hot swap
Prevention
BC
Quarantining is the process of isolating a file, computer system, or computer network to prevent the spread of a virus or another cybersecurity incident. This allows for analysis of the attack and collection of evidence.
A hot swap involves bringing a backup system into operation, and the live system is frozen to preserve evidence of the attack.
Analysis is an early stage in the process and involves determining whether a genuine incident has been identified and what level of priority it should be assigned. Gathering and preserving evidence is not a consideration at this point.
Prevention occurs when the response team takes countermeasures to end the incident on the live system, without regard to preserving evidence.
A company hires a security consultant to train the IT team in incident response procedures. The consultant facilitates a question and answer session, and the IT team practices running scans. Examine the scenario and determine which type of incident response exercise the consultant conducts.
Tabletop exercise
Walkthrough
Simulation
Forensics
B
In a walkthrough, a facilitator presents a scenario and the incident responders demonstrate what actions they would take. Responders may run scans and analyze sample files, typically on sandboxed versions of the company’s actual response and recovery tools.
The facilitator in a tabletop exercise presents a scenario and the responders explain what action they would take to manage the threat—without the use of computer systems.
Simulations are team-based exercises, where the red team attempts an intrusion, the blue team operates response and recovery controls, and a white team moderates and evaluates the exercise.
Digital forensics describes techniques to collect and preserve evidence. Forensics procedures are detailed and time-consuming, where the purpose of incident responses are usually urgent.
During a cyber incident response exercise, a blue team takes steps to ensure the company and its affiliates can still use network systems while managing a simulated threat in real-time. Based on knowledge of incident response procedures, what stage of the incident response process is the blue team practicing?
Containment
Identification
Eradication
Recovery
A
The goal of the containment stage is to secure data while limiting the immediate impact on customers and business partners.
Based on an alert or report, identification determines whether an incident has taken place, how severe it might be (triage), and notifies stakeholders.
Once the security admin contains the incident, eradication removes the cause and restores the affected system to a secure state.
When security admin eradicates the cause of the incident, they can reintegrate the system into the business process that it supports. This recovery phase may involve restoration of data from backup and security testing.
A security and information event management (SIEM) handler’s dashboard provides graphical representations of user profile trends. The graphic contrasts standard user activity with administrative user activity and flags activity that deviates from these clusters. This graphical representation utilizes which trend analysis methodology?
Frequency-based trend analysis
Volume based trend analysis
Statistical deviation analysis
Syslog trend analysis
C
Statistical deviation analysis can alert security admin to a suspicious data point. A cluster graph might show activity by standard users and privileged users, and data points outside these clusters may indicate suspicious account activity.
Frequency-based trend analysis establishes a baseline for a metric, and if frequency exceeds the baseline threshold, then the system raises an alert.
Volume-based trend analysis uses simpler indicators, such as log or network traffic volume, or endpoint disk usage. Unusual log growth needs investigating, and unexpected disk capacity may signify data exfiltration.
Syslog provides an open format, protocol, and server software for logging event messages. A very wide range of host types use Syslog.
A security investigator compiles a report for an organization that lost data in a breach. Which ethical approach does the investigator apply while collecting data for the report?
Search for relevant information
Apply standard tags to files
Disclosing of evidence
Using repeatable methods
D
Analysis methods should follow strong ethical principles and must be repeatable by third parties with access to the same evidence. This can indicate that any evidence has not been changed or manipulated.
Searching information through e-discovery allows investigators to locate files of interest to the case. As well as keyword search, software might support semantic search.
Applying standardized keywords or tags to files and metadata helps to organize evidence. Tags might be used to indicate relevancy to a case or part of a case.
Disclosure is an important part of trial procedure. Disclosure states that the same evidence be made available to both plaintiff and defendant.
Which of the following sets properly orders forensic data acquisition by volatility priority?
- System memory caches 2. Data on persistent mass storage devices 3. Archival media 4. Remote monitoring data
- System memory caches 2. Remote monitoring data 3. Data on persistent mass storage devices 4. Archival media
- Data on persistent mass storage devices 2. System memory caches 3. Remote monitoring data 4. Archival media
- Remote monitoring data 2. Data on persistent mass storage devices 3. System memory caches 4. Archival media
C
CPU registers and cache memory are most highly volatile, although they may not be accessible as sources of forensics evidence. Non-persistent system memory (RAM) contents, including routing table, ARP cache, process table, kernel statistics occupy the second volatility priority.
The third most volatile category includes data on persistent mass storage devices. This includes system memory caches, partition and file system blocks, slack space, free space, temporary file caches, and user, application, and OS files and directories.
Remote logging and monitoring data comprise the fourth most volatile form of data, followed by physical configuration and network topology.
Archival media and printed documents are considered least volatile.
P500
Data acquisition usually proceeds by using a tool to make an image from the data held on the target device. An image can be acquired from either volatile or nonvolatile storage. The general principle is to capture evidence in the order of volatility, from more volatile to less volatile. The ISOC best practice guide to evidence collection and archiving, published as tools.ietf.org/html/rfc3227, sets out the general order as follows:
1. CPU registers and cache memory (including cache on disk controllers, GPUs, and so on).
2. Contents of nonpersistent system memory (RAM), including routing table, ARP cache, process table, kernel statistics.
3. Data on persistent mass storage devices (HDDs, SSDs, and flash memory devices):
• Partition and file system blocks, slack space, and free space.
• System memory caches, such as swap space/virtual memory and hibernation files.
• Temporary file caches, such as the browser cache.
• User, application, and OS files and directories.
4. Remote logging and monitoring data.
5. Physical configuration and network topology.
6. Archival media and printed documents.
After a break-in at a government laboratory, some proprietary information was stolen and leaked. Which statement best summarizes how the laboratory can implement security controls to prevent future breaches?
The laboratory needs to take detective action and should implement physical and deterrent controls in the future.
The laboratory needs to take detective action and should implement corrective controls in the future.
The laboratory needs to take compensatory action and should implement physical controls in the future.
The laboratory needs to take corrective action and should implement both physical and preventative controls in the future.
D
Following a break-in that included both physical intrusion and data compromise, the lab should take corrective action to reduce the impact of the intrusion event. Implementing preventative measures can help secure data from future attacks, and physical controls can mitigate the probability of future physical break-ins.
Deterrent controls, such as warning signs, may not physically or logically prevent access, but psychologically discourage attackers from attempting an intrusion.
Detective controls, such as logs, which operate during an attack, may not prevent or deter access, but they will identify and record any attempted or successful intrusion.
Compensating controls serve as a substitute for a principal control, but corrective controls reduce the impact of an intrusion event.
Which of the following policies support separation of duties? (Select all that apply.)
Employees must take at least one, five-consecutive-day vacation each year.
Employees must stay in the same role for a minimum of two years prior to promotion.
A principle of least privilege is utilized and critical tasks are distributed between two employees.
Standard Operating Procedures (SOPs) are in effect in each office.
ACD(?A???
Mandatory vacations force employees to take earned vacation time. During this time, someone else fulfills their duties while they are away so audits can occur and potential discrepancies can be identified.
The principle of least privilege solely grants a user sufficient rights to perform a specific job. For critical tasks, duties should be divided between several people.
Standard Operating Procedures (SOPs) result in the employee having no cause for lapses in following protocol in terms of performing these types of critical operations.
It is advisable that employees do not stay in the same role for an extended period of time. For example, managers may be moved to different departments periodically.
P192
Separation of Duties
Separation of dutiesis a means of establishing checks and balances against the possibility that critical systems or procedures can be compromised by insider threats. Duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuse of powers. An employee is supposed to work for the interests of their organization exclusively. A situation where someone can act in his or her own interest, personally, or in the interests of a third party is said to be a conflict of interest. Separation of duties means that employees must be constrained by security policies:
• Standard operating procedures (SOPs) mean that an employee has no excuse for not following protocol in terms of performing these types of critical operations.
• Shared authority means that no one user is able to action or enable changes on his or her own authority. At least two people must authorize the change. One example is separating responsibility for purchasing (ordering) from that of authorizing payment. Another is that a request to create an account should be subject to approval and oversight. Separation of duties does not completely eliminate risk because there is still the chance of collusion between two or more people. This, however, is a much less likely occurrence than a single rogue employee.
An IT engineer looks to practice very rigid configuration management. The primary goal is to ensure very little deviation from an initial install of systems. Which method does the engineer utilize to accomplish this?
Templates
Diagrams
Baselines
Microservices
C
A baseline configuration is the template of settings that a device, VM instance, or other CI was configured to, and that a system should continue to match while in use.
A template is a predefined set of settings that are used when deploying a system. With configuration management, a template helps to deploy a uniform environment.
Diagrams are the best way to capture the complex relationships between network elements. Diagrams can be used to show how CIs are involved in business workflows.
With serverless technologies, applications are developed as functions and microservices, each interacting with other functions to facilitate client requests. Microservices are not a management item.
An organization prepares for an audit of all systems security. While doing so, staff perform a risk management exercise. Which phase does the staff consider first?
Identify vulnerabilities
Identify essential functions
Analyze business impact
Identify risk response
B
Effective risk management must focus on mission essential functions that could cause the whole business to fail if they are not performed. Identifying these systems and processes should be done first.
Identifying vulnerabilities for each function or workflow (starting with the most critical) is done by analyzing systems and assets to discover and list any vulnerabilities or weaknesses.
Analyzing business impacts identifies the likelihood of a vulnerability being activated as a security incident by a threat and the impact of that incident on critical systems.
Identifying risk response for each risk requires identifying possible countermeasures and assesses the cost of deploying additional security controls to protect systems and processes.
P510
Risk managementis a process for identifying, assessing, and mitigating vulnerabilities and threats to the essential functions that a business must perform to serve its customers. You can think of this process as being performed over five phases:
1. Identify mission essential functions—mitigating risk can involve a large amount of expenditure so it is important to focus efforts. Effective risk management must focus on mission essential functions that could cause the whole business to fail if they are not performed. Part of this process involves identifying critical systems and assets that support these functions.
2. Identify vulnerabilities—for each function or workflow (starting with the most critical), analyze systems and assets to discover and list any vulnerabilities or weaknesses to which they may be susceptible.
3. Identify threats—for each function or workflow, identify the threat sources and actors that may take advantage of or exploit or accidentally trigger vulnerabilities.
4. Analyze business impacts—the likelihood of a vulnerability being activated as a security incident by a threat and the impact of that incident on critical systems are the factors used to assess risk. There are quantitative and qualitative methods of analyzing impacts and likelihood.
5. Identify risk response—for each risk, identify possible countermeasures and assess the cost of deploying additional security controls.
Most risks require some sort of mitigation, but other types of response might be more appropriate for certain types and level of risks.
When a company first installed its computer infrastructure, IT implemented robust security controls. As the equipment ages, however, those controls no longer effectively mitigate new risks. Which statement best summarizes the company’s risk posture?
The company’s aging infrastructure constitutes a control risk.
The company demonstrates risk transference, assigning risk to IT personnel.
The company can expect little to no impact from an outage event.
The company demonstrates effective risk mitigation techniques for low priority systems.
A
Control risk measures how much less effective a security control has become over time. Risk management is an ongoing process, requiring continual reassessment and re-prioritization.
Transference (or sharing) means assigning risk to a third-party, such as an insurance company or a contract with a supplier that defines liabilities. A company’s IT department is not a third-party.
A security categorization (SC) of low risk describes an impact as minor damage to an asset or loss of performance (though essential functions remain operational).
Companies may accept some risks. Risk acceptance means that no countermeasures are emplaced either because the level of risk does not justify the cost or because there will be unavoidable delay before deploying the countermeasures.
A power outage disrupts a medium-sized business, and the company must restore systems from backups. If the business can resume normal operations from a backup made two days ago, what metric does this scenario represent?
Recovery Point Objective (RPO)
Recovery time objective (RTO)
Maximum tolerable downtime (MTD)
Work Recovery Time (WRT)
A
RPO is the amount of data loss a system can sustain, measured in time. That is, if a virus destroys a database, an RPO of 24 hours means the system can recover the data (from a backup copy) to a point not more than 24 hours before the infection.
RTO is the post-disaster period an IT system may remain offline, including the amount of time it takes to identify a problem and perform recovery.
MTD is the longest period of time that a business function outage may occur, without causing irrecoverable business failure.
Following system recovery, WRT is the additional work necessary to reintegrate systems, test functionality, and brief users on changes and updates to fully support the business function.
A national intelligence agency maintains data on threat actors. If someone intercepted this data, it would pose a serious threat to national security. Analyze the risk of exposure and determine which classification this data most likely holds.
Confidential
Secret
Top secret
Proprietary
C
Critical or top secret information is too valuable to allow any risk of its capture. Viewing is severely restricted.
Confidential or secret information is highly sensitive, for viewing only by approved persons within the owner organization, and possibly by trusted third parties under NDA.
The terms confidential and secret are sometimes used interchangeably, but some agencies make a distinction between confidential and secret data.
Another type of classification schema identifies the kind of information asset. Proprietary information or intellectual property (IP) is information a company creates and owns; typically about the products or services that they make or perform.
The U.S. department of defense (DoD) awards an IT contract to a tech company to perform server maintenance at a storage facility. What type of agreement must the DoD enter with the tech company to commit the company to implementing agreed upon security controls?
Interconnection security agreement (ISA)
Non-disclosure agreement (NDA)
Data sharing and use agreement
Service level agreement (SLA)
A
Any federal agency interconnecting its IT system to a third party must create an ISA to govern the relationship. An ISA sets out a security risk awareness process and commits the agency and supplier to implementing security controls.
An NDA establishes a legal basis for protecting information assets. If a party breaks this agreement and shares prohibited information, they may face legal consequences.
Data sharing and use agreements specify the purpose for which an entity can collect and analyze data, and proscribes the use of re-identification techniques.
An SLA is a contractual agreement detailing the terms under which a contractor provides service. This includes terms for security access controls and risk assessments plus processing requirements for confidential and private data.
Any external responsibility for an organization’s security lies mainly with which individuals?
The owner
Tech staff
Management
Public relations
A
External responsibility for security (due care or liability) lies mainly with directors or owners. It is important to note that all employees share some measure of responsibility.
Technical and specialist staff have the direct responsibility for implementing, maintaining, and monitoring the policy. Security might be made a core competency of systems and network administrators, or there may be dedicated security administrators.
Managers at an organization may have responsibility for a specific domain or unit, such as building control, ICT, or accounting.
Non-technical staff have the responsibility of complying with policy and with any relevant legislation. Public relations is responsible for media communications.
What distinguishes DevSecOps from a traditional SOC?
Software code is the responsibility of a programming or development team.
Identification as a single point-of-contact for the notification of security incidents.
A cultural shift within an organization to encourage much more collaboration.
Security is a primary consideration at every stage of software development.
D
DevSecOps extends the boundary to security specialists and personnel, reflecting the principle that security is a primary consideration at every stage of software development and deployment.
Traditionally, software code would be the responsibility of a programming or development team. Separate development and operations departments or teams can lead to silos.
A dedicated cyber incident response team (CIRT)/computer security incident response team (CSIRT)/computer emergency response team (CERT) as a single point-of-contact for the notification of security incidents.
Development and operations (DevOps) is a cultural shift within an organization to encourage much more collaboration between developers and system administrators.
The _____ requires federal agencies to develop security policies for computer systems that process confidential information.
Sarbanes-Oxley Act (SOX)
Computer Security Act
Federal information Security Management Act (FISMA)
Gramm-Leach-Bliley Act (GLBA)
B
The Computer Security Act (1987) specifically requires federal agencies to develop security policies for computer systems that process confidential information.
The Sarbanes-Oxley Act (2002) mandates the implementation of risk assessments, internal controls and audit procedures. This act is not for any specific entity.
The Federal Information Security Management Act (2002) governs the security of data processed by federal government agencies. This act requires agencies to implement an information security program.
The Gramm-Leach-Bliley Act (1999) is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information.
A company has one technician that is solely responsible for applying and testing software and firmware patches. The technician goes on a two-week vacation, and no one is tasked to perform the patching duties during this time. A critical patch is released and not installed due to the absence. According to the National Institute of Standards and Technology (NIST), what has the delay in applying the patch caused?
Control
Risk
Threat
Vulnerability
D
NIST defines vulnerability as a weakness that could be triggered accidentally or exploited intentionally to cause a security breach. In addition to delays in applying patches, other examples of vulnerabilities include improperly installed hardware, untested software, and inadequate physical security.
Control is a system or procedure put in place to mitigate a risk. An example of control is policies or network monitoring to identify unauthorized software.
Risk is the likelihood and impact of a threat actor exercising a vulnerability.
Threat is the potential for a threat agent to exercise a vulnerability.
Any part of the World Wide Web that is accessed through non-standard methods and is intentionally not indexed and hidden from a search engine is called a _____.
Dark net
Cyber threat actor
Deep web
Dark web
C
Deep web is any part of the World Wide Web that is not indexed by a search engine. Examples include pages that require registration, unlinked pages, and pages using nonstandard DNS.
A dark net is deliberately concealed and is an overlay to internet infrastructure. A dark net is one type of deep web.
Cyber threat actors use deep web pages to communicate and exchange information without detection. This is accomplished using deep web.
Dark web are sites, content, and services that are accessible only over a dark net.
Which of the following could represent an insider threat? (Select all the apply.)
Former employee
Contractor
Customer
White box hacker
AB
Anyone who has or had authorized access to an organization’s network, system, or data is considered an insider threat. In this example, a former employee and a contractor fit the criteria.
Current employees, business partners, and contractors also qualify as insider threats.
A customer does not have authorized access and is unlikely to be affiliated with an organization’s staff.
A white box hacker is given complete access to information about the network, which is useful for simulating the behavior of a privileged insider threat, but they are not an insider threat.
A Department of Defense (DoD) security team identifies a data breach in progress, based on some anomalous log entries, and take steps to remedy the breach and harden their systems. When they resolve the breach, they want to publish the cyber threat intelligence (CTI) securely, using standardized language for other government agencies to use. The team will transmit threat data feed via which protocol?
Structured Threat Information eXpression (STIX)
Automated Indicator Sharing (AIS)
Trusted Automated eXchange of Indicator Information (TAXII)
A code repository protocol
C
The TAXII protocol provides a means for transmitting CTI data between servers and clients. Subscribers to the CTI service obtain updates to the data to load into analysis tools over TAXII.
While STIX provides the syntax for describing CTI, the TAXII protocol transmits CTI data between servers and clients.
The Department of Homeland Security’s (DHS) Automated Indicator Sharing (AIS) is especially aimed at Information Sharing and Analysis Centers (ISACs), but private companies can join too. AIS is based on the STIX and TAXII standards and protocols.
A file/code repository holds signatures of known malware code.
P39
Threat Data Feeds
When you use a cyber threat intelligence (CTI) platform, you subscribe to a threat data feed. The information in the threat data can be combined with event data from your own network and system logs. An analysis platform performs correlation to detect whether any IoCs are present. There are various ways that a threat data feed can be implemented.
Structured Threat Information eXpression (STIX)
The OASIS CTI framework (oasis-open.github.io/cti-documentation) is designed to provide a format for this type of automated feed so that organizations can share CTI. The Structured Threat Information eXpression (STIX)part of the framework describes standard terminology for IoCs and ways of indicating relationships between them. Where STIX provides the syntax for describing CTI, the Trusted Automated eXchange of Indicator Information (TAXII)protocol provides a means for transmitting CTI data between servers and clients. For example, a CTI service provider would maintain a repository of CTI data. Subscribers to the service obtain updates to the data to load into analysis tools over TAXII. This data can be requested by the client (referred to as a collection), or the data can be pushed to subscribers (referred to as a channel).
Automated Indicator Sharing (AIS)
Automated Indicator Sharing (AIS)is a service offered by the Department of Homeland Security (DHS) for companies to participate in threat intelligence sharing (us-cert.gov/ais). It is especially aimed at ISACs, but private companies can join too. AIS is based on the STIX and TAXII standards and protocols.
Compare the following and select the appropriate methods for packet capture. (Select all that apply.)
Wireshark
Packet analyzer
Packet injection
Tcpdump
ABD(?AD?
Wireshark and tcdump are packet sniffers. A sniffer is a tool that captures packets, or frames, moving over a network.
Wireshark is an open source graphical packet capture and analysis utility. Wireshark works with most operating systems, where tcpdump is a command line packet capture utility for Linux.
A packet analyzer works in conjunction with a sniffer to perform traffic analysis. Protocol analyzers can decode a captured frame to reveal its contents in a readable format, but they do not capture packets.
A packet injection involves sending forged or spoofed network traffic by inserting (or injecting) frames into the network stream. Packets are not captured with packet injection.
P53
A protocol analyzer (or packet analyzer) works in conjunction with a sniffer to perform traffic analysis. You can either analyze a live capture or open a saved capture (.pcap) file. Protocol analyzers can decode a captured frame to reveal its contents in a readable format. You can choose to view a summary of the frame or choose a more detailed view that provides information on the OSI layer, protocol, function, and data.
Wireshark(wireshark.org) is an open-source graphical packet capture and analysis utility, with installer packages for most operating systems. Having chosen the interface to listen on, the output is displayed in a three-pane view. The packet list pane shows a scrolling summary of frames. The packet details pane shows expandable fields in the frame currently selected from the packet list. The packet bytes pane shows the raw data from the frame in hex and ASCII. Wireshark is capable of parsing (interpreting) the headers and payloads of hundreds of network protocols.
Select the statement which best describes the difference between a zero-day vulnerability and a legacy platform vulnerability.
A legacy platform vulnerability is unpatchable, while a zero-day vulnerability may be exploited before a developer can create a patch for it.
A zero-day vulnerability is unpatchable, while a legacy platform vulnerability can be patched, once detected.
A zero-day vulnerability can be mitigated by responsible patch management, while a legacy platform vulnerability cannot be patched.
A legacy platform vulnerability can be mitigated by responsible patch management, while a zero-day vulnerability does not yet have a patch solution.
A
A zero-day vulnerability is exploited before the developer knows about it or can release a patch. These can be extremely destructive, as it can take the vendor some time to develop a patch, leaving systems vulnerable in the interim.
A legacy platform is no longer supported with security patches by its developer or vendor. By definition, legacy platforms are not patchable.
Legacy systems are highly likely to be vulnerable to exploits and must be protected by security controls other than patching, such as isolating them to networks that an attacker cannot physically connect to.
Even if effective patch management procedures are in place, attackers may still be able to use zero-day software vulnerabilities, before a vendor develops a patch.
An outside security consultant updates a company’s network, including data cloud storage solutions. The consultant leaves the manufacturer’s default settings when installing network switches, assuming the vendor shipped the switches in a default-secure configuration. Examine the company’s network security posture and select the statements that describe key vulnerabilities in this network. (Select all that apply.)
The network is open to third-party risks from using an outside contractor to configure cloud storage settings.
The default settings in the network switches represent a weak configuration.
The use of network switches leaves numerous unused ports open.
The default settings in the network switches represent unsecured protocols.
AB
Weaknesses in products or services in a supply chain can impact service availability and performance, or lead to data breaches. Suppliers and vendors in the chain rely on each other to perform due diligence.
Relying on the manufacturer default settings when deploying an appliance or software applications is a weak configuration. Although many vendors ship products in secure default configurations, it is insufficient to rely on default settings.
Default settings may leave unsecure interfaces enabled that allow an attacker to compromise the device. Weak settings on network appliances can allow attackers to move through the network unhindered and snoop on traffic.
An unsecure protocol transfers data as cleartext. It does not use encryption for data protection.
In which of these situations might a non-credentialed vulnerability scan be more advantageous than a credentialed scan? (Select all that apply.)
When active scanning poses no risk to system stability
External assessments of a network perimeter
Detection of security setting misconfiguration
Web application scanning
BD
Non-credentialed scanning is often the most appropriate technique for external assessment of the network perimeter or when performing web application scanning.
A non-credentialed scan proceeds by directing test packets at a host without being able to log on to the OS or application. A non-credentialed scan provides a view of what the host exposes to an unprivileged user on the network.
A passive scan has the least impact on the network and on hosts but is less likely to identify vulnerabilities comprehensively.
Configuration reviews investigate how system misconfigurations make controls less effective or ineffective, such as antivirus software not being updated, or management passwords left configured to the default. Configuration reviews generally require a credentialed scan.
P71
Credentialed versus Non-Credentialed Scanning
A non-credentialed scan is one that proceeds by directing test packets at a host without being able to log on to the OS or application. The view obtained is the one that the host exposes to an unprivileged user on the network. The test routines may be able to include things such as using default passwords for service accounts and device management interfaces, but they are not given privileged access. While you may discover more weaknesses with a credentialed scan, you sometimes will want to narrow your focus to think like an attacker who doesn’t have specific high-level permissions or total administrative access. Non-credentialed scanning is often the most appropriate technique for external assessment of the network perimeter or when performing web application scanning.
A credentialed scan is given a user account with log-on rights to various hosts, plus whatever other permissions are appropriate for the testing routines. This sort of test allows much more in-depth analysis, especially in detecting when applications or security settings may be misconfigured. It also shows what an insider attack, or one where the attacker has compromised a user account, may be able to achieve. A credentialed scan is a more intrusive type of scan than non-credentialed scanning.
A contractor has been hired to conduct penetration testing on a company’s network. They have decided to try to crack the passwords on a percentage of systems within the company. They plan to annotate the type of data that is on the systems that they can successfully crack to prove the ease of access to data. Evaluate the penetration steps and determine which are being utilized for this task. (Select all that apply.)
Test security controls
Bypass security controls
Verify a threat exists
Exploit vulnerabilities
AD
Two penetration test steps are being utilized by actively testing security controls and exploiting the vulnerabilities. Identifying weak passwords is actively testing security controls.
In addition, exploiting vulnerabilities is being used by proving that a vulnerability is high risk. The list of critical data obtained will prove that the weak passwords can allow access to critical information.
Bypassing security controls can be accomplished by going around controls that are already in place to gain access.
Verifying that a threat exists would have consisted of using surveillance, social engineering, network scanners, and/or vulnerability assessment tools to identify vulnerabilities.
A hacker set up a Command and Control network to control a compromised host. What is the ability of the hacker to use this remote connection method as needed known as?
Weaponization
Persistence
Reconnaissance
Pivoting
B(這題很爛,他在講PT,但混入cyber kill chain)
Persistence refers to the hacker’s ability to reconnect to the compromised host and use it as a Remote Access Tool (RAT) or backdoor. To do this, the hacker must establish a Command and Control (C2 or C&C) network.
Weaponization is an exploit used to gain some sort of access to a target’s network, but it doesn’t involve being able to reconnect.
Reconnaissance is the process of gathering information, it is not related to Command and Control networks.
Pivoting follows persistence. It involves a system and/or set of privileges that allow the hacker to compromise other network systems (lateral spread). The hacker likely has to find some way of escalating the privileges available to him/her.
P80
Pen Test Attack Life Cycle
In the kill chain attack life cycle, reconnaissance is followed by an initial exploitation phase where a software tool is used to gain some sort of access to the target’s network.
This foothold might be accomplished using a phishing email and payload or by obtaining credentials via social engineering.
Having gained the foothold, the pen tester can then set about securing and widening access.
A number of techniques are required:
• Persistence—the tester’s ability to reconnect to the compromised host and use it as a remote access tool (RAT) or backdoor. To do this, the tester must establish a command and control (C2 or C&C) network to use to control the compromised host, upload additional attack tools, and download exfiltrated data. The connection to the compromised host will typically require a malware executable to run after shut down/log off events and a connection to a network port and the attacker’s IP address to be available.
• Privilege escalation—persistence is followed by further reconnaissance, where the pen tester attempts to map out the internal network and discover the services running on it and accounts configured to access it. Moving within the network or accessing data assets are likely to require higher privilege levels. For example, the original malware may have run with local administrator privileges on a client workstation or as the Apache user on a web server. Another exploit might allow malware to execute with system/root privileges, or to use network administrator privileges on other hosts, such as application servers.
• Lateral movement—gaining control over other hosts. This is done partly to discover more opportunities to widen access (harvesting credentials, detecting software vulnerabilities, and gathering other such “loot”), partly to identify where valuable data assets might be located, and partly to evade detection. Lateral movement usually involves executing the attack tools over remote process shares or using scripting tools, such as PowerShell.
• Pivoting—hosts that hold the most valuable data are not normally able to access external networks directly. If the pen tester achieves a foothold on a perimeter server, a pivot allows them to bypass a network boundary and compromise servers on an inside network. A pivot is normally accomplished using remote access and tunneling protocols, such as Secure Shell (SSH), virtual private networking (VPN), or remote desktop.
• Actions on Objectives—for a threat actor, this means stealing data from one or more systems (data exfiltration). From the perspective of a pen tester, it would be a matter of the scope definition whether this would be attempted. In most cases, it is usually sufficient to show that actions on objectives could be achieved.
• Cleanup—for a threat actor, this means removing evidence of the attack, or at least evidence that could implicate the threat actor. For a pen tester, this phase means removing any backdoors or tools and ensuring that the system is not less secure than the pre-engagement state.
P470
The Lockheed Martin kill chain identifies the following phases:
1. Reconnaissance—in this stage the attacker determines what methods to use to complete the phases of the attack and gathers information about the target’s personnel, computer systems, and supply chain.
2. Weaponization—the attacker couples payload code that will enable access with exploit code that will use a vulnerability to execute on the target system.
3. Delivery—the attacker identifies a vector by which to transmit the weaponized code to the target environment, such as via an email attachment or on a USB drive.
4. Exploitation—the weaponized code is executed on the target system by this mechanism. For example, a phishing email may trick the user into running the code, while a drive-by-download would execute on a vulnerable system without user intervention.
5. Installation—this mechanism enables the weaponized code to run a remote access tool and achieve persistence on the target system.
6. Command and control (C2 or C&C)—the weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack.
7. Actions on objectives—in this phase, the attacker typically uses the access he has achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration). An attacker may have other goals or motives, however.
A system administrator has just entered their credentials to enter a secure server room. As the administrator is entering the door, someone is walking up to the door with their hands full of equipment and appears to be struggling to move items around while searching for their credentials. The system administrator quickly begins to assist by getting items out of the person’s hands, and they walk into the room together. This person is not an employee, but someone attempting to gain unauthorized access to the server room. What type of social engineering has occurred?
Familiarity/liking
Consensus/social proof
Authority and intimidation
Identity fraud
B
Consensus/social proof revolves around the belief that without an explicit instruction to behave in a certain way, people will follow social norms. It is typically polite to assist someone with their hands full.
Familiarity/Liking is when an attacker uses charisma to persuade others to do as requested. They downplay their requests to make it seem like their request is not out of the ordinary.
Authority and Intimidation can be used by an
attacker by pretending to be someone senior. The person receiving the request would feel the need to take action quickly and without questioning the attacker.
Identity fraud is a specific type of impersonation where the attacker uses specific details (such as personal information) of someone’s identity.
P85
Consensus/Social Proof
The principle of consensusor social proofrefers to the fact that without an explicit instruction to behave in a certain way, many people will act just as they think others would act. A social engineering attack can use this instinct either to persuade the target that to refuse a request would be odd (“That’s not something anyone else has ever said no to”) or to exploit polite behavior to slip into a building while someone holds the door for them. As another example, an attacker may be able to fool a user into believing that a malicious website is actually legitimate by posting numerous fake reviews and testimonials praising the site. The victim, believing many different people have judged the site acceptable, takes this as evidence of the site’s legitimacy and places their trust in it.
A gaming company decides to add software on each title it releases. The company’s objective is to require the CD to be inserted during use. This software will gain administrative rights, change system files, and hide from detection without the knowledge or consent of the user. Consider the malware characteristics and determine which is being used.
Spyware
Keylogger
Rootkit
Trojan
C
A rootkit is characterized by its ability to hide itself by changing core system files and programming interfaces and to escalate privileges. The gaming company accomplished this.
Spyware monitors user activity and may be installed with or without the user’s knowledge, but it cannot gain administrative privileges or hide itself.
A keylogger is also a type of spyware that records a user’s keystrokes. It occurs without a user’s knowledge, but it cannot hide itself or gain privileges.
Trojans cannot conceal their presence entirely and will surface as a running process or service. While a rootkit is a type of Trojan or spyware, it differs in its ability to hide itself.
An employee calls IT personnel and states that they received an email with a PDF document to review. After the PDF was opened, the system has not been performing correctly. An IT admin conducted a scan and found a virus. Determine the two classes of viruses the computer most likely has. (Select all that apply.)
Boot sector
Program
Script
Macro
BC
Both a program and script virus can use a PDF as a vector. The user stated that a PDF file was recently opened. A program virus is executed when an application is executed. Executable objects can also be embedded or attached within other file types such as Microsoft Word and Rich Text Format.
A script virus typically targets vulnerabilities in an interpreter. Scripts are powerful languages used to automate operating system functions and add interactivity to web pages and are executed by an interpreter rather than self-executing. PDF documents have become a popular vector for script viruses.
A boot sector virus is one that attacks the disk boot sector information, the partition table, and sometimes the file system.
A macro virus uses the programming features available in Microsoft Office documents.
P93
A computer virusis a type of malware designed to replicate and spread from computer to computer, usually by “infecting” executable applications or program code. There are several different types of viruses and they are generally classified by the different types of file or media that they infect:
• Non-resident/file infector—the virus is contained within a host executable file and runs with the host process. The virus will try to infect other process images on persistent storage and perform other payload actions. It then passes control back to the host program.
• Memory resident—when the host file is executed, the virus creates a new process for itself in memory. The malicious processremains in memory, even if the host process is terminated.
• Boot—the virus code is written to the disk boot sector or the partition table of a fixed disk or USB media, and executes as a memory resident process when the OS starts or the media is attached to the computer.
• Script and macro viruses—the malware uses the programming features available in local scripting engines for the OS and/or browser, such as PowerShell, Windows Management Instrumentation (WMI), JavaScript, Microsoft Office documents with Visual Basic for Applications (VBA) code enabled, or PDF documents with JavaScript enabled.
Which of the following is NOT a use of cryptography?
Non-repudiation
Obfuscation
Security through obscurity
Resiliency
C這是課本定義
Security through obscurity involves keeping something a secret by hiding it. With cryptography, messages do not need to be hidden since they are not understandable unless decrypted.
Non-repudiation is when the sender cannot deny sending the message. If the message has been encrypted in a way known only to the sender, logic follows the sender must have composed it.
Obfuscation is the art of making a message difficult to understand. Cryptography is a very effective way of obfuscating a message by encrypting it.
Resiliency occurs when the compromise of a small part of the system is prevented from allowing compromise of the whole system. Cryptography ensures the authentication and integrity of messages delivered over the control system.
P106
Security through obscurity involves keeping something a secret by hiding it. With cryptography, messages do not need to be hidden since they are not understandable unless decrypted.
Non-repudiation is when the sender cannot deny sending the message. If the message has been encrypted in a way known only to the sender, logic follows the sender must have composed it.
Obfuscation is the art of making a message difficult to understand. Cryptography is a very effective way of obfuscating a message by encrypting it.
Resiliency occurs when the compromise of a small part of the system is prevented from allowing compromise of the whole system. Cryptography ensures the authentication and integrity of messages delivered over the control system.
P609
2. How can cryptography support high resiliency?
A complex system might have to support many inputs from devices installed to potentially unsecure locations. Such a system is resilient if compromise of a small part of the system is prevented from allowing compromise of the whole system. Cryptography assists this goal by ensuring the authentication and integrity of messages delivered over the control system.
Compare and contrast the modes of operation for block ciphers. Which of the following statements is true?
ECB and CBC modes allow block ciphers to behave like stream ciphers.
CTR and GCM modes allow block ciphers to behave like stream ciphers.
ECB and GCM modes allow block ciphers to behave like stream ciphers.
CBC and CTR modes allow block ciphers to behave like stream ciphers.
B Counter Mode (CTR) and Galois/Counter Mode (GCM) combine each block with a counter value. This allows each block to be processed individually and in parallel, improving performance.
Electronic Code Book (ECB) mode applies the same key to each plaintext block, which means identical plaintext blocks can output identical ciphertexts. This is not how a stream cipher behaves.
Counter Mode (CTR) and Galois/Counter Mode (GCM) allow block ciphers to behave like stream ciphers, which are faster than block ciphers.
Cipher Block Chaining (CBC) mode applies an Initialization Vector (IV) to the first plaintext block to ensure that the key produces a unique ciphertext from any given plaintext and repeating as a “chain.” This is not how a stream cipher behaves.
P648
GCM (Galois/Counter Mode)A mode of block chained encryption that provides message authenticity for each block.
P110
Stream Ciphers
In a stream cipher, each byte or bit of data in the plaintext is encrypted one at a time. This is suitable for encrypting communications where the total length of the message is not known. The plaintext is combined with a separate randomly generated message, calculated from the key and an initialization vector (IV). The IV ensures the key produces a unique ciphertext from the same plaintext. The keystream must be unique, so an IV must not be reused with the same key. The recipient must be able to generate the same keystream as the sender and the streams must be synchronized. Stream ciphers might use markers to allow for synchronization and retransmission. Some types of stream ciphers are made self-synchronizing.
Block Ciphers
In a block cipher, the plaintext is divided into equal-size blocks (usually 128-bit). If there is not enough data in the plaintext, it is padded to the correct size using some string defined in the algorithm. For example, a 1200-bit plaintext would be padded with an extra 80 bits to fit into 10 x 128-bit blocks. Each block is then subjected to complex transposition and substitution operations, based on the value of the key used. The Advanced Encryption Standard (AES)is the default symmetric encryption cipher for most products. Basic AES has a key size of 128 bits, but the most widely used variant is AES256, with a 256-bit key.
A security team is in the process of selecting a cryptographic suite for their company. Analyze cryptographic implementations and determine which of the following performance factors is most critical to this selection process if users primarily access systems on mobile devices.
Speed
Latency
Computational overhead
Cost
C
Some technologies or ciphers configured with longer keys require more processing cycles and memory space, which makes them slower and consume more power. This makes them unsuitable for handheld devices and embedded systems that work on battery power.
Speed is most impactful when processing large amounts of data.
For some use cases, the time required to obtain a result is more important than a data rate. Latency issues may negatively affect performance when an operation or application times out before the authentication handshake.
Cost issues may arise in any decision-making process, but for mobile device cryptography, computing overhead is a primary limiting factor.
P123
Differences between ciphers make them more or less useful for resource-constrained environments. The main performance factors are as follows:
• Speed—for symmetric ciphers and hash functions, speedis the amount of data per second that can be processed. Asymmetric ciphers are measured by operations per second. Speed has the most impact when large amounts of data are processed.
• Time/latency—for some use cases, the time required to obtain a result is more important than a data rate. For example, when a secure protocol depends on ciphers in the handshake phase, no data transport can take place until the handshake is complete. This latency, measured in milliseconds, can be critical to performance.
• Size—the security of a cipher is strongly related to the size of the key, with longer keys providing better security. Note that the key size cannot be used to make comparisons between algorithms. For example, a 256-bit ECC key is stronger than a 2048-bit RSA key. Larger keys will increase the computational overhead for each operation, reducing speed and increasing latency.
• Computational overheads—in addition to key size selection, different ciphers have unique performance characteristics. Some ciphers require more CPU and memory resources than others, and are less suited to use in a resource-constrained environment.
