Udemy Exam 2 Flashcards
A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL,
https://www.google.com/search?q=password+filetype%3Axls+site%3Adiontraining.com&pws=0&filter=p.
Which of the following is true about the results of this search? (SELECT THREE)
Personalization is turned off
Returns only files hosted at diontraining.com
Returns only Microsoft Excel spreadsheets
Excludes Microsoft Excel spreadsheets
All search filters are deactivated
The above example searches for files with the name “password” in them (q=password) and (+) have a filetype equal to xls (filetype%3Axls, %3A is the hex-code for ‘:’) and (+) limits the results to files hosted on diontraining.com (site%3Adiontraining.com) and (&) disables personalization (pws=0) and (&) deactivates the directory filtering function (filter=p). If you wanted to exclude Microsoft Excel spreadsheets, this would be done by typing -filetype%3Axls as part of the search query. To find related websites or pages, you would include the “related:” term to the query. To deactivate all filters from the search, the “filter=0” should be used. To deactivate the directory filtering function, the “filter=p” is used.
Consider the following data:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
{ “id”: “bundle–cf20f99b-3ed2-4a9f-b4f1-d660a7fc8241”,
“objects”: [
{
“aliases”: [
“Comment Crew”,
“Comment Group”,
“Shady Rat” ],
“created”: “2015-05-15T09:00:00.000Z”,
“description”: “APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006.”,
“first_seen”: “2006-06-01T00:00:00.000Z”,
“id”: “intrusion-set–da1065ce-972c-4605-8755-9cd1074e3b5a”,
“modified”: “2015-05-15T09:00:00.000Z”,
“name”: “APT1”,
“object_marking_refs”: [
“marking-definition–3444e29e-2aa6-46f7-a01c-1c174820fa67”
],
“primary_motivation”: “organizational-gain”,
“resource_level”: “government”,
“spec_version”: “2.1”,
“type”: “intrusion-set”
},
{
“aliases”: [
“Greenfield”,
“JackWang”,
“Wang Dong” ],
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Which of the following best describes the data presented above?
An XML entry describing an APT using the MITRE ATT&CK framework
A JSON excerpt describing a REST API call to a Trusted Automated eXchange of Indicator Information (TAXII) service
An XML entry describing an APT using the Structured Threat Information eXpression (STIX) framework
A JSON excerpt that describes an APT using the Structured Threat Information eXpression (STIX) format
The excerpt is a JSON object used by the STIX protocol to convey threat information. STIX (Structured Threat Information eXpression) is a standardized XML programming language for conveying data about cybersecurity threats in a common language that can be easily understood by humans and security technologies. Trusted Automated Exchange of Intelligence Information (TAXII™) is an application protocol for exchanging CTI over HTTPS. TAXII defines a RESTful API (a set of services and message exchanges) and a set of requirements for TAXII Clients and Servers. MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for developing specific threat models and methodologies in the private sector, government, and the cybersecurity product and service community.
Which term defines the collection of all points from which an adversary could interact with a system and cause it to function in a way other than how it was designed?
Attack surface
Threat model
Attack vector
Adversary capability set
The collection of all points from which an adversary may attack is considered the attack surface. The attack vector represents the specific points an adversary has chosen for a particular attack. The threat model defines the behavior of the adversary. An adversary capability set is the list of items an adversary can use to conduct their attack.
In which operating system ring is a kernel rootkit typically installed?
Ring 3
Ring 0
Ring 1
Ring 2
Rootkits are usually classed as either kernel mode or user mode. CPU architectures define several protection rings. Ring 0 has complete access to any memory location and, therefore, any hardware devices connected to the system. Processes that operate with ring 0 privileges are referred to as working in kernel mode. As this suggests, only the bootloader and the core of the operating system, plus some essential device drivers, are supposed to have this access level. Ring 3 is referred to as user mode (rings 1 and 2 are rarely implemented). Ring 3 is where the OS runs services and non-essential device drivers. It is also where applications run. In user mode, each process can use only memory locations allocated by the kernel and interacts with hardware via system calls to kernel processes. A kernel-mode rootkit can gain complete control over the system.
What should a vulnerability report include if a cybersecurity analyst wants it to reflect the assets scanned accurately?
Organizational governance
Log disposition
Virtual hosts
Processor utilization
Vulnerability reports should include both the physical hosts and the virtual hosts on the target network. A common mistake of new cybersecurity analysts is to include physical hosts, thereby missing many network assets.
Which of the following techniques listed below are not appropriate to use during a passive reconnaissance exercise against a specific target company?
WHOIS lookups
BGP looking glass usage
Banner grabbing
Registrar checks
Banner grabbing requires a connection to the host to grab the banner successfully. This is an active reconnaissance activity. All other options are considered passive processes and typically use information retrieved from third-parties that do not directly connect to an organization’s remote host. For support or reporting issues, include
While conducting a security test to ensure that information about your company’s web server is protected from inadvertent disclosure, you request an HTML file from the webserver and receive the following output:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/6.0
Date: Tuesday, 5 Sep 2017 1034:12 GMT
Content-Type: text/html
Content-Length: 132
There is no web site configured at this address.
This page is a placeholder until construction begins.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Which of the following actions should you take to remediate this vulnerability?
Set “PerProcessLogging” to 1 in the URLScan.ini configuration file
Set “VerifyNormalization” to 1 in the URLScan.ini configuration file
Set “RemoveServerHeader” to 1 in the URLScan.ini configuration file
Set “EnableLogging” to 1 in the URLScan.ini configuration file
his output is an example of banner grabbing being conducted against your web server. To prevent valuable information from being sent in the response, you should configure the “RemoveServerHeader” in the Microsoft IIS configuration file (URLScan.ini). If you set “RemoveServerHeader” to 1, UrlScan will remove the server header on all responses, and the value of AlternateServerName will be ignored. If you set “EnableLogging” to 1, UrlScan will log its actions in a file called UrlScan.log that will be created in the same directory that contains UrlScan.dll. If you set “PerProcessLogging” to 1, UrlScan will append the process ID of the IIS process that is hosting UrlScan.dll to the log file name; for example, UrlScan.1234.log. If you set “VerifyNormalization” to 1, UrlScan verifies the URL’s normalization and will defend against canonicalization attacks, where a URL contains a double encoded string in the URL. Please note, this question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s complete content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess, and move on!
During a vulnerability scan, you notice that the hostname www.diontraining.com is resolving to www.diontraining.com.akamized.net instead. Based on this information, which of the following do you suspect is true?
You are scanning a CDN-hosted copy of the site
The scan will not produce any useful information
The server assumes you are conducting a DDoS attack
Nothing can be determined about this site with the information provided
This result is due to the company using a distributed server model that hosts content on Edge servers worldwide as part of a CDN. A content delivery network (CDN) is a geographically distributed network of proxy servers and their data centers that provide high availability and performance by distributing the service spatially relative to end-users. The requested content may be served from the Edge server’s cache or pull the content from the main diontraining.com servers. If you are scanning a web server or application hosted with a CDN, you need to be aware that you might be scanning an edge copy of the site and not receive accurate results. While an edge server usually maintains static content, it is still useful to determine if any vulnerabilities exist in that portion of the site content. Distributed denial-of-service (DDoS) attacks range from small and sophisticated to large and bandwidth-busting. While Akamai does provide excellent DDoS protection capabilities, nothing in this question indicates that the server is attempting to stop your scans or is assuming you are conducting a DDoS attack against it.
Which of the following tools would you use to audit a multi-cloud environment?
ScoutSuite
Prowler
Prowler is a cloud auditing tool, but it can only be used on AWS
Pacu
Pacu is an exploitation framework that is used to test the security configurations of an AWS account
OpenVAS
OpenVAS is a general-purpose vulnerability scanner but does not deal with cloud-specific issues
Which analysis framework provides a graphical depiction of the attacker’s approach relative to a kill chain?
OpenIOC
MITRE ATT&CK framework
Diamond Model of Intrusion Analysis
Lockheed Martin cyber kill chain
The Diamond Model provides an excellent methodology for communicating cyber events and allowing analysts to derive mitigation strategies implicitly. The Diamond Model is constructed around a graphical representation of an attacker’s behavior.
The MITRE ATT&CK framework
The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors.
The Lockheed Martin cyber kill chain
The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but do not deal with the specifics of how to mitigate.
OpenIOC
OpenIOC contains a depth of research on APTs but does not integrate the detections and mitigation strategy.
Which of the following secure coding best practices ensures a character like < is translated into the < string when writing to an HTML page?
Output encoding involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example, translating the < character into the < string when writing to an HTML page.
Input Validation
Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering the malfunction of various downstream components.
Improper error handling
Improper error handling can introduce various security problems where detailed internal error messages such as stack traces, database dumps, and error codes are displayed to an attacker.
A recent vulnerability scan found several vulnerabilities on an organization’s public-facing IP addresses. To reduce the risk of a breach, which of the following vulnerabilities should be prioritized for remediation?
An HTTP response that reveals an internal IP address
A website utilizing a self-signed SSL certificate
A buffer overflow that is known to allow remote code execution
A cryptographically weak encryption cipher
The most serious vulnerability discovered is one that could allow remote code execution to occur. Since this buffer overflow vulnerability is known to allow remote code execution, it must be mitigated first to prevent a security breach most effectively. While the other issues should be addressed eventually, you need to prioritize the most critical one (remote code execution) on a public-facing IP address. A public-facing IP address means the device is accessible from the internet.
Which of the following is the most difficult to confirm with an external vulnerability scan?
Blind SQL injection
Cross-site scripting (XSS)
Unpatched web server
Cross-site request forgery (XSRF/CSRF)
Vulnerability scanners typically cannot confirm that a blind SQL injection with the execution of code has previously occurred.
XSS and CSRF/XSRF are typically easier to detect because the scanner can pick up information that proves a successful attack. The banner information can usually identify unpatched servers.
Which one of the following methods would provide the most current and accurate information about any vulnerabilities present in a system with a misconfigured operating system setting?
Continuous vulnerability scanning
Scheduled vulnerability scanning
On-demand vulnerability scanning
Agent-based monitoring
An agent-based monitoring solution would be the best choice to meet these requirements. Agent-based monitoring provides more details of the configuration settings for a system and can provide an internal perspective. While vulnerability scans can give you a snapshot of a system’s status at a certain time, it will not remain current and accurate without continual rescanning.
A cybersecurity analyst at Yoyodyne Systems just finished reading a news article about their competitor, Whamiedyne Systems, being hacked by an unknown threat actor. Both companies sell to the same basic group of consumers over the internet since their products are used interchangeably by consumers. Which of the following is a valid cybersecurity concern for Yoyodyne Systems?
The same vulnerability will be compromised on their servers
The attacker will conduct a man-in-the-middle attack
The attacker will conduct a SQL injection against their database
They may now be vulnerable to a credential stuffing attack
The largest and most immediate cybersecurity concern that the analyst should have is credential stuffing. Credential stuffing occurs when an attacker tests username and password combinations against multiple online sites. Since both companies share a common consumption group, it is likely that some of Yoyodyne’s consumers also had a user account at Whamiedyne. If the attackers compromised the username and passwords from Whamiedyne’s servers, they might attempt to use those credentials on Yoyodyne’s servers, too. There is no definitive reason to believe that both companies are using the same infrastructure. Therefore, the same vulnerability that was exploited by the attacker may not exist at Yoyodyne. The question doesn’t mention an SQL database. Therefore, there is no direct threat of an SQL injection. A man-in-the-middle (MitM) attack occurs when the attacker sits between two communicating hosts and transparently captures, monitors, and relays all communications between the host. Nothing in this question indicates that a MitM was utilized or is a possible threat.
Question 25
Incorrect
A cybersecurity analyst is conducting a port scan of 192.168.1.45 using nmap. During the scan, the analyst found numerous ports open, and nmap could not determine the Operating System version of the system installed at 192.168.1.45. The analyst asks you to look over the results of their nmap scan results:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Starting NMAP 7.60 at 2020-06-12 21:23:15
NMAP scan report for 192.168.1.45
Host is up (0.78s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
80/tcp open http
139/tcp open netbios-ssn
515/tcp open
631/tcp open ipp
9100/tcp open
MAC Address: 00:0C:29:18:6B:DB
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Which of the following operating systems is most likely used by the host?
Based on the open ports, it is likely that the host is a networked printer. Port 515 is used as an LPR/LPD port for most printers and older print servers. Port 631 is used for IPP for most modern printers and CUPS-based print servers. Port 9100 is used as a RAW port for most printers and is also known as the direct-IP port. If any of these three ports are found, the host is likely a printer. If ports 135, 139, 445 are found, this is usually a good indication of a Windows file server. Port such as FTP, telnet, SMTP, and http is used by both Windows and Linux servers; therefore, they are not as helpful to indicate which operating system is in use by the host.