CNA285 - Chapter 10 Selecting the Best Course of Action
____________ _____________ is the process by which a user who has limited access to a system elevates that access in order to acquire unauthorized privileges.
Privilege escalation
True or False: A good way to detect scan sweeps is by paying attention to ARP messages.
True
True or False: NACs provide centralized logs that are used to detect attempted connections by rogue devices.
True
To see which sockets belong to which processes, use the netstat command. Each operating system uses different parameters with this command. What are they?
Windows • netstat -ano Mac OS • netstat -v Linux • netstat -nap
Use the following scenario to answer the next 4 Questions:
You receive a call from the head of the R&D division because one of her engineers recently discovered images and promotional information of a product that looks remarkably like one that your company has been working on for months. When reading more about the device, it becomes clear to the R&D head that this is in fact the same product that was supposed to have been kept under wraps. She suspects that the plans have been stolen. When inspecting the traffic from the R&D workstations, you notice a few patterns in the outbound traffic. The machines all regularly contact a domain registered to a design software company, exchanging a few bytes of information at a time. However, all of the R&D machines communicate regularly to a print server on the same LAN belonging to Logistics, sending several hundred megabytes in regular intervals.
______ relies on tamper-resistant labels on files and networks that track them, as they are moved within and out of the network.
DLP
Which one of the following storage devices is considered to be the most volatile? A. Random-access memory B. Read-only memory C. Cloud storage D. Solid-state drive
A. Random-access memory
Which of the following is not an area to investigate when looking for indicators of threat activity? A. Network speed B. Memory usage C. CPU cycles D. Disk space
A. Network speed
Why is this device an ideal choice as a source of the leak? A. This device might not arouse suspicion due to its normal purpose on the network. B. This device has regular communications outside of the corporate network. C. This device can emulate many systems easily. D. This device normally has massive storage resources.
A. This device might not arouse suspicion due to its normal purpose on the network.
What is a common technique that attackers use to establish persistence in a network? A. Buffer overflow B. Adding new user accounts C. Deleting all administrator accounts D. Registry editing
B. Adding new user accounts
What device does it make sense to check next to discover the source of the leak? A. The DNS server B. The printer server belonging to Logistics C. The mail server D. The local backup of the R&D
B. The printer server belonging to Logistics
The practice of permitting only known-benign software to run is referred to as what? A. Blacklisting B. Whitelisting C. Blackhatting D. Vulnerability scanning
B. Whitelisting
Which of the following is not considered part of the lateral movement process? A. Internal reconnaissance B. Privilege escalation C. Exfiltration D. Pivoting attacks
C. Exfiltration
What is the most likely explanation for the outbound communications from all the R&D workstations to the design company? A. Command-and-control instructions B. Exfiltration of large design files C. License verification D. Streaming video
C. License verification
What is the term for the periodic communications observed by the R&D workstations? A. Fingerprinting B. Chatter C. Footprinting D. Beaconing
D. Beaconing
What is a useful method to curb the use of rogue devices on a network? A. SSID B. FLAC C. WPA D. NAC
D. NAC