Practice Test 1

Question 1

1. What is Lockheed Martin Kill?

Answer 1

Is a model developed by the Locked Martin to describe the stages of a cyber attack.

Question 2

2. What are the 7 stages of the Lockheed Martin Cyber Kill Chain?

Answer 2

1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command and Control (C2)
7. Actions & Objectives

Question 3

Stage 1. What is Reconnaissance ?

Answer 3

To gather Information about the target. Attackers perform research to identify potential vulnerability , employees or systems they can exploit.

For example: Scanning for open ports or looking for weak points in organisation’s Infrastructure.

Question 4

Stage 2. Weaponization

Answer 4

Pairing a vulnerability with a malware payload. Attackerks prepare malicious tools (like malware) that can exploit identified vulnerabilities.

For example: Creating a malicious document or an infected websites that targets a specific vulnerability in the software.

Question 5

Stage 3 . Delivery

Answer 5

Transmitting the malicious code to the target. The attacker sends the weaponized payload to the target. This is the stage where phishing emails. USP drops, or compromised websites are used.

For example: Sending an email attachment with malware to an unsuspecting victim.

Question 6

Stage 4. Exploitation

Answer 6

Execute code on the victim’s system. The payload is executed on the victim’s system by exploiting the vulnerability.

For example: Opening an infected document that runs a malicious macro, or exploiting an unpatched system.

Question 7

Stage 5. Installation

Answer 7

Install malware on the compromised system. The attacker installs additional tools ( such as backdoors or rootkits) to maintain access to the victim’s system .

For example: Installing malware like ransomware or a trojan to establish persistence on the victim’s machine.

Question 8

Stage 6. Command and Control (C2)

Answer 8

Maintain communication with a compromised system. The attacker establishes a channel to remotely control the compromised system. This often involves communication with a remote server.

For example: A compromised computer “phoning home” to a command - and - control server to receive further instructions or exfiltrate data.

Question 9

Stage 7. Action on Objectives

Answer 9

Achieve the attacker’s final objectives. At this stage, the attacker carries out the intended actions, which could range from data exfiltration , destruction of data, or further lateral movement within the network.

For example: Stealing sensitive data, deploying ransomware, or destroying files.

Question 10

3. What’s the purpose of Cyber Kill Chain model?

Answer 10

The Cyber Kill Chain model is a proactive approach used by security teams to : Detect threats at different stages.

Respond effectively to an attack in progress. Disrupt the attacker’s workflow at an stages to prevent them from completing their objective.

By understanding this chain, organisation can deploy security measures at each step to mitigate attacks and reduce their success rate.

Question 11

4. What is Brute force attack?

Answer 11

A brute force attack focuses on trying multiple passwords for a single user.

Question 12

5. What is Password spraying?

Answer 12

Password spraying focuses on attempting only one two passwords per user.

Question 13

6. What technique are commonly used by port and vulnerability scanners to identify the service running on a target system?

Answer 13

Banner grabbing and comparing response fingerprints. This method is common because both banner grabbing and response fingerprinting provide strong clues about the services on a system.

This questions is asking about techniques used by network scanning tools identify the services running on a system. It focuses on method that are commonly used by port and vulnerability scanners like Nmap to determine which services (Like HTTP, SSH,FTP ,etc) are active on a target system.

Question 14

7.What is Data Exfiltration ?

Answer 14

Data exfiltration is data theft, the intentional , unauthorised transfer of data from a system or network. Various agents target data exfiltration - attackers, insiders and malware designed for data theft.

Question 15

8. What is buffer overflow?

Answer 15

A buffer overflow is a type of vulnerability that occurs when a program writes more data to a buffer (a temporary data storage area in a memory) than it can hold.

This can lead to unexpected behaviour , crashes or even allow attackers to execute malicious code on the system.

Question 16

9.What is The Security Intelligence Cycle?

Answer 16

The Security Intelligence Cycle is a structured process used to collect, analyze, and disseminate information related to security threats, risks, and vulnerabilities.

It helps organizations to make informed decisions and take appropriate actions to mitigate security risks.

Question 17

10. What are the 6 phases of The Security Intelligence Cycle?

Answer 17

1. Direction
2. Collection
3. Processing
4. Analysis
5. Dissemination
6. Feedback

Question 18

Phase 1. Direction

Answer 18

Purpose: Define the goals and objectives of the intelligence effort.

Activities: Identify the types of intelligence needed, prioritize security issues, and set specific tasks.

This stage often involves collaboration among stakeholders to understand their requirements.

Question 19

Phase 2. Collection

Answer 19

Purpose: Gather relevant information and data.

Activities: Utilize various methods and sources to collect information, which can include open-source intelligence (OSINT), human intelligence (HUMINT), signals intelligence (SIGINT), and other forms. Data may be collected from internal systems, external threats, or public sources.

Question 20

Phase 3. Processing

Answer 20

Purpose: Organize and prepare the collected data for analysis.

Activities: Filter, categorize, and format the information to make it usable. This may involve converting raw data into a structured format or enriching the data with additional context.

Question 21

Phase 4. Analysis

Answer 21

Purpose: Assess the processed information to identify patterns, trends, and insights.

Activities: Apply analytical techniques to evaluate the significance of the information, determine potential threats, and develop actionable intelligence. Analysts may use various methodologies, such as statistical analysis, threat modeling, and scenario analysis.

Question 22

Phase 5. Dissemination

Answer 22

Purpose: Share the analysed intelligence with stakeholders.

Activities: Distribute intelligence reports, briefings, or alerts to relevant personnel. The format and frequency of dissemination depend on the audience and the urgency of the information.

Question 23

Phase 6. Feedback

Answer 23

Purpose: Gather input to improve the intelligence process.

Activities: Collect feedback from users to assess the effectiveness of the intelligence provided. This helps refine future intelligence efforts and adjust the focus based on changing threats or stakeholder needs.

Question 24

11. What are the ports for the following protocols ?

LDAP
MySQL
RDP
IMAP

Answer 24

RDP runs on port 3389
MySQL runs on port 3306.
LDAP runs on port 389.
IMAP over SSL runs on port 993.

Question 25

12. What should domain administrator utilise to BEST protect their Windows workstations from buffer overflow attacks?

Answer 25

Enable DEP in Windows

DEP, by default, only protects Windows programs and services classified as essential, but it can be used for all programs and services, or all programs and services except the ones on an exception list.

Question 26

13. What is SQL injection attack?

Answer 26

SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database.

Question 27

14. What is Cross site scripting or xss?

Answer 27

A Cross-Site Scripting (XSS) attack is a type of security vulnerability in web applications where attackers inject malicious scripts (typically JavaScript) into web pages viewed by other users.

When a user visits the compromised page, the injected script is executed within their browser as if it were part of the legitimate web content, potentially exposing sensitive data or giving the attacker control over the user’s session.

Question 28

15. Which of the following scan types are useful for probing firewall rules?
    • XMAS TREE
    • TCP RST
    • TCP SYN
    • TCP ACK

Answer 28

TCP ACK scans can be used to determine what services are allowed through a firewall

Question 29

16. What is SOX?

Answer 29

Sarbanes-Oxley Act (SOX) dictates requirements for storing and retaining documents relating to an organization’s financial and business operations, including the type of documents to be stored and their retention periods. It is relevant for any publicly-traded company with a market value of at least $75 million.

Question 30

17. What is GLBA?

Answer 30

Gramm-Leach-Bliley Act (GLBA) institutes requirements that help protect the privacy of an individual’s financial information held by financial institutions and others, such as tax preparation companies. The privacy standards and rules created as part of GLBA safeguard private information and set penalties in the event of a violation.

Question 31

18. What is FERPA?

Answer 31

The Family Educational Rights and Privacy Act (FERPA) requires that educational institutions implement security and privacy controls for student educational records.

Question 32

19. What is HIPPA?

Answer 32

The Health Insurance Portability and Accountability Act (HIPAA) establishes several rules and regulations regarding healthcare in the United States. With the rise of electronic medical records, HIPAA standards have been implemented to protect patient medical information privacy through restricted access to medical records and regulations for sharing medical records.

Question 33

20. Which of the following tools would you use to audit a multi-cloud environment?
    • Pacu
    • OpenVAS
    • ScoutSuite
      
      • Prowler

Answer 33

ScoutSuite is used to audit instances and policies created on multi-cloud platforms.

Prowler is a cloud auditing tool, but it can only be used on AWS.

Pacu is an exploitation framework that is used to test the security configurations of an AWS account.

OpenVAS is a general-purpose vulnerability scanner but does not deal with cloud-specific issues.

Question 34

21. What is Acceptable use policy?

Answer 34

Governs how employees or users are allowed to use company resources.

Question 35

22. What is Service level agreement?

Answer 35

Defines the level of service expected between a provider and a client, such as uptime guarantees.

Question 36

23.What is Rules of engagement ?

Answer 36

The Rules of Engagement (RoE) is a document that defines the scope, boundaries, and limitations of a penetration testing engagement.

Question 37

24. What is Memorandum of understanding?

Answer 37

A formal agreement between parties outlining general terms of cooperation. It’s broader and less specific than the Rules of Engagement.

Question 38

25. What are the Six process of Incident response?

Answer 38

1. Preparation
2. Detection and Analysis (Validation)
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned (Post-Incident Review)

Question 39

26. What happens in the Preparation stage of the Incident Response process?

Answer 39

Develop plans, policies, and tools.
Train teams and set up monitoring systems.

Question 40

27. What happens in the Detection and Analysis (Validation) stage of the Incident Response process?

Answer 40

Identify and verify if a suspicious event is truly a security incident.

Tasks involved:
Scanning: Check for vulnerabilities or unusual behavior.

Patching: Verify if systems are up-to-date.

Permissions: Inspect for unauthorized access or privilege misuse.

Logging: Confirm relevant logs are in place and reviewed.

Goal: Confirm the incident and gather evidence.

Question 41

28.What happens in the Containment stage of the Incident Response process?

Answer 41

Isolate affected systems to stop the spread of the threat.

Examples:
Disconnecting compromised systems from the network.
Blocking malicious IPs or accounts.

Question 42

29.What happens in the Eradication stage of the Incident Response process?

Answer 42

Eliminate the threat entirely from the environment.

Tasks involved:
Sanitization: Clean infected files or wipe compromised systems.

Remove malicious software, artifacts, or backdoors.

Question 43

30.What happens in the Recovery stage of the Incident Response process?

Answer 43

Restore normal operations and confirm the system is secure.

Examples:
Rebuild systems.
Re-enable access after ensuring no vulnerabilities remain.

Question 44

31.What happens in the Recovery stage of the Incident Response process?

Answer 44

Lessons Learned (Post-Incident Review):

Analyze the incident and document findings to improve future responses.

Question 45

32. What is Ring 0 in the operating system’s ring model?

Answer 45

Ring 0, also called Kernel Mode, is the most privileged level used by the operating system kernel. It allows full control over the system, and kernel rootkits are typically installed here.

Question 46

33. What is Ring 1 in the operating system’s ring model?

Answer 46

Ring 1 is typically used for device drivers or lower-level system processes in some architectures but is not commonly used in modern systems.

Question 47

34.What is Ring 2 in the operating system’s ring model?

Answer 47

Ring 2 is rarely used in modern operating systems and is reserved for some system services in specific architectures.

Question 48

35.What is Ring 3 in the operating system’s ring model?

Answer 48

Ring 3, also called User Mode, is the least privileged level and is used by user-level applications and processes.

Question 49

36.Why is strcpy a security concern, and what mitigation should be applied?

Answer 49

Strcpy can cause a buffer overflow. Mitigate by enabling ASLR (Address Space Layout Randomization) to make exploits harder, or use safer functions like strncpy.

Question 50

37. Which actions occur during the final phase of the Lockheed Martin kill chain?

Answer 50

Privilege escalation
Modify data
Lateral movement through the environment
Exfiltrate data

Question 51

38. What are the key concerns when migrating to a serverless architecture? (Select Three)

Answer 51

Limited disaster recovery options
Protection of endpoint security
Dependency on the cloud service provider

Question 52

39.Which process integrates multiple sources of information to create a complete overview for analysts during incident response or proactive threat hunting?

Answer 52

Data enrichment

Question 53

40.Which scanning topology would BEST meet the requirements for a centrally-managed, scalable vulnerability scanning solution with minimal false positives for a college network?

Answer 53

Active scanning

Question 54

41.What are the MOST effective remediation strategies in reducing the risk to an embedded ICS from a network-based compromise?

Answer 54

Segmentation

Disabling unused services

Question 55

42. Which technique would provide the largest increase in security on a network with ICS, SCADA, or IoT devices?

Answer 55

User and entity behavior analytics (UEBA)

Question 56

43.Which of the following scan types are useful for probing firewall rules?

Answer 56

TCP ACK scan is useful for probing firewall rules because it helps determine which ports are filtered. Firewalls respond differently to these probes, allowing the scanner to identify filtering behavior.