Week 7

Question 1

How are occurrences identified?

Answer 1

By comparing abnormal activities to establish baseline and thresholds of known good system performance and operation

Question 2

What is collection?

Answer 2

The identification, labeling, recording, and acquisition of data for the possible sources of relevant data

Question 3

2 ways that an incident can be classified:

Answer 3

• Precursors

- Indicators

Question 4

What port is SSH

Answer 4

22

Question 5

What are common sources that can facilitate the identification of precursors and indicators?

Answer 5

• antivirus software

- people from within

Question 6

What are the main objectives within incident response?

Answer 6

• resolving the incident according to official requirements
• mitigating the risk or threat
• restoring integrity of affected system
• implementation of proactive and reactive defensive and productive measures

Question 7

What incident categories must be sanitized and rebuilt from trusted media?

Answer 7

1,2, or 7

Question 8

Who will make the block determination and provide guidance to the affected commands?

Answer 8

NCDOC

Question 9

Incidents of what category would potentially trigger gateway blocks?

Answer 9

1, 2, 3, 4, 6, 7

Question 10

The implementation of NCDOC IP black lists and DNS Black Holes Lists are mandatory.

Answer 10

True

Question 11

Who is responsible for Tier 2?

Answer 11

NCDOC

Question 12

Who serves as the principal advisor and representative to the CO in matters pertaining to the ES?

Answer 12

CSM

Question 13

What is volatile data?

Answer 13

Data on a live system that will be lost when the system is rebooted or powered off

Question 14

What’s the system state command used for user accounts?

Answer 14

Net user

Question 15

Verifying data integrity is accomplished by?

Answer 15

Creating a message digest hash such as MD5 or SHA1

Question 16

What can the working copy be used for?

Answer 16

Search for the evidence and to perform any required analysis of the data without the risk of affecting the original data or the master copy

Question 17

Our networks are configured to a level of risk that can be deemed acceptable

Answer 17

True

Question 18

What is static analysis?

Answer 18

The process of examining and interpreting the contents of the malware sample without executing the file

Question 19

What are the abnormal combinations of seemingly uninteresting events?

Answer 19

• an unrecognized connection to a web server
• an unrecognized configuration change
• an unrecognized user creation or privilege escalation

Question 20

What is one of the primary objectives for post-incident analysis?

Answer 20

Identifying technical or operational training needs

Question 21

What is the response we use for the increase in security events?

Answer 21

Operation rolling tide

Question 22

What is data compromise?

Answer 22

The compromise or probably compromise of classified information

Question 23

Event flow chart matching

Answer 23

1. Generated event
2. Event discovery
3. Consolidated and aggregated events
4. Event analysis
5. Is it an event incident?

Question 24

After the evident has been I defined as an incident, then what is it called?

Answer 24

Incident response

Question 25

Delivery Vector Category 1A:

Answer 25

Reconnaissance, information gathering and data mining

Question 26

Delivery Category Vector 6A

Answer 26

Other IS compromise: compromise resulting from access previously gained on another IS

Question 27

Cyber events are generally detected when?

Answer 27

When a person or security system detects suspicious behavior or known threat

Question 28

When do you determine a detected event is reportable?

Answer 28

Once an event has been detected

Question 29

If trained personnel are available, what do we do?

Answer 29

Capture volatile data and then ship to NCDOC for analysis

Question 30

Order of incidents

Answer 30

1. Root level intrusion
2. User level intrusion
3. Unsuccessful activity attempted
4. Denial of service
5. Non-compliance activity

Question 31

What is root level intrusion?

Answer 31

Unauthorized privileged access to a DOD system

Question 32

What is User Level Intrusion?

Answer 32

Unauthorized non-privileged access to a DOD system

Question 33

What is unsuccessful activity attempted?

Answer 33

Attempt to gain unauthorized access to the system

Question 34

What is Denial of Service?

Answer 34

Activity that impairs, impedes, or halts normal functions

Question 35

What is non-compliance activity?

Answer 35

Used for activity hat due to DOD actions makes DOD systems potentially vulnerable

Question 36

HBSS is what kind of application?

Answer 36

Host based software application

Question 37

Matching
Application: 
Host:
Internal network:
Perimeter:
Physical:

Answer 37

Application: white-listing
Host: HBSS
Internal network: internal firewalls
Perimeter: external intrusion detection systems
Physical: alarm systems

Question 38

Signs of an occurrence are identified by?

Answer 38

Comparing abnormal activity to establish baseline and thresholds of known good system performance and operation

Question 39

two types of antivirus software that the Navy uses.

Answer 39

McAfee

Symantec

Question 40

What do COA’s focus on?

Answer 40

Containment, eradication, recovery

Question 41

Matching
Net user:
ARP-a
Ipconfig /all:
Netstat:
Tasklist

Answer 41

Net user: user accounts
Arp-a: ARP table
Ipconfig /all: network interfaces
Netstat-Ann: network connections
Tasklist: running tasks

Question 42

What is the working copy used for?

Answer 42

To search for the evidence and to perform any required analysis of the data without he risk of affecting the original data or the master copy

Question 43

Our networks are configured with a level of risk that has been deemed acceptable.

Answer 43

True

Question 44

What is static analysis?

Answer 44

The process of examining and interpreting the contents of the malware samples without executing the file

Question 45

What is a primary objective post incident analysis?

Answer 45

Identifying operational training needs

Question 46

What are the severity levels for HIPS?

Answer 46

High
Medium
Low
Informational

Question 47

What does operational reporting do?

Answer 47

Reporting provides commanders with information regarding their network security and its potential impact of the mission

Question 48

Information that reveals specific DOD vulnerabilities that are not commercial public knowledge for all DoD systems are classified as what?

Answer 48

SECRET

Question 49

How long do you have for a final report?

Answer 49

24 hours or as directed

Question 50

Loss of PII, how much time to report?

Answer 50

1 hour

Question 51

What is JIMS and what systems does it work with?

Answer 51

Joint Incident management systems and works with SIPR to classify messages

Question 52

What CYBERCON is most restrictive?

Answer 52

1

Question 53

What CYBERCON is least restrictive?

Answer 53

5

Question 54

LINUX record log information in what directory?

Answer 54

/var/log

Question 55

What does a medium event consist of in HBSS?

Answer 55

Signatures of behavioral activity where applications operate outside their envelope or normal operating environment

Question 56

What is the process of reviewing events and information across more Han one incident to identify trends, patterns, signatures, or hacker modes of operation?

Answer 56

Correlation

Question 57

What is done during post activity? And when is it mandatory?

Answer 57

Hold a lessons learned

• mandatory for major incidents
• optional for otherwise