Weak Points Flashcards

1
Q

RFC

A

Request for Comments:
Published by ISOC
Not all RFCs are standards documents (experimental, best practice, standard track)
Many informal RFCs analyze threats

An RFC is authored by individuals or groups of engineers and computer scientists in the form of a memorandum describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

AIS

A

Automated Indicator Sharing:
A US government initiative for real-time sharing of cyber threat indicators

Intelligence industry needs a standard way to share important threat data (share info freely)

Ex: STIX & TAXII

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

STIX

A

Structured Threat Information Expression:
A standardized XML programming language for conveying data about cybersecurity threats in a common language that can be easily understood by humans & security tech

Describes cyber threat info (motivations, capabilities, response info)

Designed to be shared via TAXII (but can be shared by other means)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

TAXII

A

Trusted Automation Exchange of Intelligence Information:
Defines how cyber threat information can be shared via services and message exchanges
Securely shares STIX data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

SRTP

A

Secure Real-Time Transport:
RTP for delivering A/V over IP networks
Uses AES
Authentication, integrity, & replay protection
HMAC-SHA1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

SFTP vs. FTPS

A

SFTP: SSH FTP

FTPS: FTP over SSL/TLS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

CE vs. SE vs. Zero-Fill

A

Cryptographic Erase:
Sanitizes a self-encrypting drive by erasing the media encryption key and then reimaging the drive

Secure Erase:
Used to perform the sanitization of flash-based devices (such as SSDs or USB devices) when cryptographic erase is not available

Zero-Fill:
Relies on overwriting a storage device by setting all bits to the value of zero (0), but this is not effective on SSDs or hybrid drives, and it takes much longer than the CE method

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

SPI

A

Sensitive Personal Information:
Information about a subject’s opinions, beliefs, and nature afforded specially protected status by privacy legislation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Rules of Engagement (Pentesting)

A

Can state things like no social engineering is allowed, no external website scanning, etc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

IoC

A

Indicator of Compromise:
An artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion.

Typical IoCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs, or botnet command and control servers’ domain names

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

First action after forensically imaging a hard drive for evidence

A

The first thing that must be done after acquiring a forensic disk image is to create a hash digest of the source drive and destination image file to ensure they match.

A critical step in the presentation of evidence will be to prove that analysis has been performed on an identical image to the data present on the physical media and that neither data set has been tampered with.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Protecting Data Center Servers: 4 Best Features

A

FM-200 (gas), Biometric Locks, Mantrap, Antivirus

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

DPO (Data Protection Officer)

A

The primary role of the data protection officer (DPO) is to ensure that her organization processes the personal data of its staff, customers, providers, or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules.

They must understand how any privacy information is used within business operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

EDM (Exact Data Match)

A

A pattern matching technique that uses a structured database of string values to detect matches. For example, a company might have a list of actual social security numbers of its customers.

Since it is not appropriate to load these numbers into a DLP filter, they could use EDM to match the numbers’ fingerprints instead based on their format or sequence

Ex: xxx-xx-xxxx

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Identifying rogue devices on a wired network

A

The best option is MAC address reporting from a source device like a router or a switch.

If the company uses a management system or inventory process to capture these addresses, then a report from one of these devices will show what is connected to the network even when they are not currently in the inventory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

GLBA

A

Gramm-Leach-Bliley Act:
A United States federal law that requires financial institutions to explain how they share and protect their customers’ private information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Data Sovereignty

A

Refers to a jurisdiction (such as France or the European Union) preventing or restricting processing and storage from taking place on systems that do not physically reside within that jurisdiction. Data sovereignty may demand certain concessions on your part, such as using location-specific storage facilities in a cloud service.

18
Q

Staging

A

Staging environments can mimic the actual production environment, leading to a realistic test environment that minimizes the risk of failure during a push to the production environment

19
Q

LDAP: Shared Authentication?

A

LDAP can be used for single sign-on but is not a shared authentication protocol. OpenID, OAuth, and Facebook Connect are all shared authentication protocols.

Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. OAuth is designed to facilitate the sharing of information (resources) within a user profile between sites.

20
Q

Which protocol is paired with OAuth2?

A

OpenID Connect:
OAuth 2 is explicitly designed to authorize claims and not to authenticate users.

The implementation details for fields and attributes within tokens are not defined. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields.

21
Q

Investigating Spam: Most important info

A

You should first request a copy of one of the spam messages, including the full email header.

By reading through the full headers of one of the messages, you can determine where the email originated from, whether it was from your email system or external, and if it was a spoofed email or a legitimate email

22
Q

Banner Grabbing

A

Banner grabbing is conducted by actively connecting to the server using telnet or netcat and collecting the web server’s response.

This banner usually contains the server’s operating system and the version number of the service being run.

23
Q

Hping

A

Hping is a handy little utility that assembles and sends custom ICMP, UDP, or TCP packets and then displays any replies. It was inspired by the ping command but offered far more control over the probes sent. It also has a handy traceroute mode and supports IP fragmentation.

Hping is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities.

Hping also allows you to map out firewall rule sets. It is also great for learning more about TCP/IP and experimenting with IP protocols.

Hping does not support IPv6 (NMAP creators made Nping to make up for this)

24
Q

Call List/Escalation List

A

This list should detail who should be called, what order, and how high up the organizational leadership chart a particular issue would reach.

In almost every case, the incident response team lead should be contacted before the CEO or CIO is notified of the incident

25
Q

FERPA

A

Protects the privacy of student educational records

26
Q

Incident Response: Preservation of Evidence

A

Occurs during Containment, Eradication, & Recovery

27
Q

SAML: SP

A

Service Provider:
SAML allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP.

28
Q

Polymorphic Virus

A

A polymorphic virus alters its binary code to avoid detection by antimalware scanners that rely on signature-based detection. By changing its signature, the virus can avoid detection.

29
Q

Strongest Containment Technique

A

Isolating affected systems

30
Q

Detecting Buffer Overflows

A

Buffer overflows are most easily detected by conducting a static code analysis.

Manual peer review or pair programming methodologies might have been able to detect the vulnerability. Still, they do not have the same level of success as a static code analysis using proper tools.

31
Q

Degaussing: Media Sanitization Classification

A

Purging:
Eliminates information from being feasibly recovered even in a laboratory environment. Purging includes degaussing, encryption of the data with the destruction of its encryption key, and other non-destructive techniques.

32
Q

Credentialed vs. Non-credentialed Scans

A

Credentialed scans log into a system and retrieve their configuration information. Therefore, it should provide you with the best results.

A non-credentialed scan relies on external resources for configuration settings that can be altered or incorrect.

33
Q

Biggest Disadvantage of SSO

A

It introduces a single point of failure

34
Q

Threat + ? = Risk

A

Vulnerability

35
Q

PCI-DSS Breach Notification

A

Any organization that processes a credit card will be required to work with their credit card processor instead of working directly with the card issuers (Visa and Mastercard).

36
Q

Data Breach Notifications

A

Conduct notification to all affected customers within 72 hours of the discover of the breach

Generally speaking, most laws require notification within 72 hours, such as the GDPR

37
Q

Hardware Write Blocker

A

Both hardware and software write blockers are designed to ensure that forensic software and tools cannot change a drive inadvertently by accessing it.

Hardware > Software

38
Q

ABAC

A

Attribute-based access control (ABAC) provides the most detailed and explicit type of access control over a resource because it is capable of making access decisions based on a combination of subject and object attributes, as well as context-sensitive or system-wide attributes.

Information such as the group membership, the OS being used by the user, and even the machine’s IP address could be considered when granting or denying access.

39
Q

Captive Portal Authentication

A

Captive portals usually rely on 802.1x, and 802.1x uses RADIUS for authentication.

The IEEE 802.1x standard is a network authentication protocol that opens ports for network access when an organization authenticates a user’s identity and authorizes them for access to the network. This defines port security.

40
Q

FIDM: RP

A

Relying parties (RPs) provide services to members of a federation.

Also known as the service provider because it consumes the tokens generated by the IdP