Hacker Techniques Tools and Incident Handling
First Tier of Forensics
The first tier which is the preparation or collection phase involves the search, recognition, collection, and documentation of electronic evidence. To preserve the original evidence, this tier often required creating an image of the original digital media without disturbing its contents.
Fourth Tier of Forensics
The fourth or reporting tier includes documenting the results of the examination process and limitations of the investigation. Ideally, this phase will be enabled throughout the course of the investigation by features built into the digital forensic tools.
What is a Business impact analysis (BIA)?
The process of analyzing existing risk and using various strategies to minimize said risk
Second Tier of Forensics
The second tier is the examination phase, which helps to make digital evidence visible and explains its origins and significance. This includes revealing hidden or obscured information.
Third Tier of Forensics
The third tier is the analysis phase, which involves studying the product of the examination tier for its relative importance to the case under investigation.
What is anomaly detection?
Type of detection that uses a known model of activity in an environment and reports deviation from the model as potential intrusions.
A DoS attack on a router will revert it to a _______
fail-open state
What is a Cold site?
A backup location which is very inexpensive to maintain. Often does not contain backed-up copies of data and configurations, or necessary hardware in place, but does include basic facilities and power.
What is a Warm site?
A backup location which offers a balance between expense and outage time. Typically has some, if not all, necessary hardware in place with other items such as power and Internet connectivity already established. These site usually contain backups but they may be out of date by several days or weeks.
What is an Incident Response Plan (IRP)?
A plan including all the steps and details required to investigate a security breach.
What is a Hot site?
A top of the line backup location that provides little to no downtime but is a high expense. These sites have a high degree of synchronization with the primary site up to the point of completely duplicating it. Requires a high degree of complexity and cost but substantially reduces downtime.
In Linux, you issue commands from a command line using which of the following? A. A terminal window B. The KDE interface C. The GNOME interface D. The kernel
A. A terminal window
Which of the following are scripting languages? (choose two) A. Active X B. Java C. CGI D. ASP.Net
A. Active X C. CGI
Which of the following can limit the impact of worms? A. Antivirus software, firewalls, patches B. Anti-spyware, firewalls, patches C. Anti-worm software, firewalls, patches D. Anti-malware
A. Antivirus software, firewalls, patches
Web application are used for? A. Enabling dynamic content B. Streaming video C. Applying scripting D. Lack of input validation
A. Enabling dynamic content
A(n) _____ is a plan that defines the procedures for responding to a security threat. A. IRP B. DCP C. DRP D. None of the above
A. IRP
Monitoring __________ allows network analysts to see exactly which hosts may be compromised and what destination IP addresses employees are accessing. A. Internal network traffic B. External network traffic C. Cross-site scripting (XSS) D. The Damn Vulnerable Web Application (DVWA)
A. Internal network traffic
Which of the following is a desktop interface for Linux? A. KDE B. SUSE C. Ubuntu D. GPL
A. KDE
What is the core of the Linux operating system? A. Kernel B. Shell C. GUI D. VPN
A. Kernel
Covert channels work over A. Known channels B. Wireless C. Networks D. Security controls
A. Known channels
______ is used to fake a MAC address. A. Spoofing B. Flooding C. Poisoning D. Hijacking
A. Spoofing
______ record(s) a user's typing A. Spyware B. Viruses C. Adware D. Malware
A. Spyware
To establish a connection-oriented connection, a(n) __________ (SYN > SYN-ACK > ACK) is performed between the IP source and IP destination. A. Three-way handshake B. IP handshake C. IP address handoff D. connection handoff
A. Three-way handshake
A DoS attack is meant to deny a service from legitimate usage. A. True B. False
A. True
Active sniffing is used when switches are present A. True B. False
A. True
Backdoors on a system can be used to bypass firewalls and other protective measures A. True B. False
A. True
Because your Web browser is your main portal to the Internet, you need to be sure you have its latest version and to download all the updates. A. True B. False
A. True
In a phone-based attack, it is fairly easy for an attacker to make a call that appears to be coming from the CEO's office and win the trust of someone else in the organization. A. True B. False
A. True
Session hijacking is used to take over an authenticated session A. True B. False
A. True
Setting up a limited profile on Facebook gives you flexibility as to who is allowed to see which portions of a profile A. True B. False
A. True
Someone walking into an office and taking a file folder full of important data off a desk can be part of a social engineering attack? A. True B. False
A. True
The command mv is designed to move files. A. True B. False
A. True
Trojans are a type of malware A. True B. False
A. True
Trojans can be used to open backdoors on a system A. True B. False
A. True
Worms are designed to replicate repeatedly. A. True B. False
A. True
You should never use information posted about you online as the basis for your password or security hints. A. True B. False
A. True
____ attach(es) to files. A. Viruses B. Worms C. Adware D. Spyware
A. Viruses
Which command is used to list all the files and subdirectories in a given location? A. ls B. cd C. rm D. del
A. ls
Another location from which to conduct business in the event of a disaster is called a(n) ______
Alternate site
Social engineering scam involving Amazon and publicly available information
Amazon "Customer Service Backdoor"
What is a Network-based intrusion detection system (NIDS)?
An IDS that can detect suspicious activity on a network, such as misuse, SYN floods, MAC floods, or other similar behavior. The NIDS device monitors the network through the use of a network card that allows it to view all traffic through the switch
What is a Host-based intrusion detection system (HIDS)?
An IDS that can monitor activity on a specific host or computer. The HIDS extends only what is on the specific host, not on the network. This type of IDS can monitor access, event logs, system usages, and file modifications.
What is an IDS?
An Intrusion Detection System (IDS) is at tool that enables you to detect attacks on a network or host basis.
What percentage of companies are estimated to have policies regarding social networking? A. 15 percent B. 40 percent C. 75 percent D. 90 percent
B. 40 percent
____ runs completely from removable media. A. Linux B. A Live CD C. The kernel D. A Shell
B. A Live CD
Prevention of viruses and malware includes ______ A. Pop-up blockers B. Antivirus C. Buffer overflows D. All of the abolve
B. Antivirus
Sniffers can be used to A. Decrypt information B. Capture information C. Hijack communications D. Enforce Security
B. Capture information
Which of the following is a characteristic of adware? A. Gathering information B. Displaying pop-ups C. Intimidating users D. Replicating
B. Displaying pop-ups
Monitoring __________ allows information systems security practitioners to see who and what is attempting to infiltrate the IP network. A. Internal network traffic B. External network traffic C. Cross-site scripting (XSS) D. The Damn Vulnerable Web Application (DVWA)
B. External network traffic
BCP is used to defined the process and procedure used to clean up after a disaster. A. True B. False
B. False
Backdoors are an example of covert channels A. True B. False
B. False
If you really understand Facebook's privacy settings, you can arrange to keep everything in you profile private. A. True B. False
B. False
It's acceptable to use one password for all of your online financial accounts, as long as that one password is strong enough A. True B. Are you ****ing kidding me?
B. False
Multipartite viruses come in encrypted form A. True B. False
B. False
Scareware is harmless A. True B. False
B. False
Session hijacking is used to capture traffic A. True B. False
B. False
The command mv is used to remove empty directories. A. True B. False
B. False
The command used to display where you are in the file system is cd. A. True B. False
B. False
The stability of a Web server does not depend on the operating system. A. True B. False
B. False
The target of source code exploits is most often databases. A. True B. False
B. False
Viruses do not require a host program A. True B. False
B. False
Browsers do not display which of the following? A. ActiveX B. Hidden fields C. Java D. JavaScript
B. Hidden fields
Which of the following statements is true regarding building a baseline definition? A. In a real-world situation, a proper baseline definition can be built in a matter of minutes. B. Network engineers use baseline analysis to identify anomalies that could indicate problems. C. Baseline analysis involves a single tool and deals with small packet capture files. D. Baseline analysis only needs to be performed once, not as a regular part of network monitoring.
B. Network engineers use baseline analysis to identify anomalies that could indicate problems.
What technique is used when traffic is captured on a network with hubs A. Active sniffing B. Passive sniffing C. MAC flooding D. Ether flooding
B. Passive Sniffing
Which of the following challenges can a firewall solve? A. Protection against buffer overflows B. Protection against scanning C. Inadequate input validation D. Ability of a Web application to use nonstandard ports
B. Protection against scanning
Which of the following is designed to exploit applications that solicit the client to supply data that is processed in the form of SQL statements? A. Buffer overflows B. SQL injection C. Buffer injection D. Input validaton
B. SQL injection
What is a term for tricking or coercing people into giving up confidential information or otherwise violating security policy? A. Social media B. Social engineering C. Social networking D. Reverse social engineering
B. Social engineering
What type of device can have its memory filled up when MAC flooding is used A. Hub B. Switch C. Router D. Gateway
B. Switch
Which command is used to create new directories? A. cddir B. mkdir C. rmdir D. lsdir
B. mkdir
Which of the following is used to audit databases? A. Ping B. IPConfig C. NGSSquirrel D. XSS
C. NGSSquirrel
____ is designed to intimidate users A. Adware B. Viruses C. Scareware D. Worms
C. Scareware
Which is used to intercept user infromation? A. Adware B. Scareware C. Spyware D. A virus
C. Spyware
____ is known to disable protective mechanisms on a system such as antivirus software, anti-spyware software, and firewalls, and to report on a user's activities. A. Adware B. Scareware C. Spyware D. A virus
C. Spyware
Which of the following are used to gather additional packet data for Wireshark to send small files between clients and servers on the various machines? A. The Damn Vulnerable Web Application B. NetWitness Investigator C. The Tftpd64 application and FileZilla D. TCPdump and PuTTY
C. The Tftpd64 application and FileZilla
What is the front line of defense for cybersecurity in any organization? A. A carefully written set of policies governing acceptable use of corporate computers B. Federal laws that protect privacy C. The end user D. A solid firewall
C. The end user
______ are methods for transferring data in an unmonitored manner
Covert channels
Trojans are designed to be small and stealthy in order to: A. Bypass covert channels B. Bypass firewalls C. Bypass permissions D. Bypass detection
D. Bypass detection
TCPdump is a command line utility used to: Select one: A. Identify common network protocols. B. Identify network baseline definitions. C. Create network baseline definitions. D. Capture network traffic on a server.
D. Capture network traffic on a server.
Which of the following is one of the goals of Trojans? A. Sending data B. Changing system settings C. Opening covert channels D. Giving remote access
D. Giving remote access
Which of the following tools is a seven-layer protocol analyzer that is user friendly and provides detailed protocol analysis and protocol behavior analysis? A. TCPdump B. Wireshark C. Damn Vulnerable Web Application D. NetWitness Investigator
D. NetWitness Investigator
A network baseline definition is a record of A. Network breaches and failures. B. Audits performed on the network. C. Adherence to corporate policies. D. Normal network performance.
D. Normal network performance.
An attacker who gains the trust of a potential victim to the point where the victim volunteers information before the attacker tries to get it is said to have succeeded in what. A. Social media B. Social engineering C. Social networking D. Reverse social engineering
D. Reverse social engineering
What is a Business continuity plan (BCP)?
Defines how organization will maintain normal day-to-day business after security incident or other disruptive event
What is a Disaster recovery plan (DRP)?
Defines how personnel and assets will be safeguarded in the event of a disaster and how assets will be restored and brought back to an operating state after disaster passes
______ is the term for criminals' practice of going through industrial of corporate trash containers looking for information such as contact lists, manuals, memos, calendars, and printouts of important documents.
Dumpster diving
_____ is a combination malware and Trojan Horse RAT based on Stuxnet designed to spy on industrial control systems
Duqu
_____ Is a powerful preventive measure for stopping viruses.
Education and Anti-virus software
______ is used to overwhelm a service
Hijacking (or DDoSing)
_____ are configured to go off at a certain date, time, or when a specific event occurs
Logic bombs
______ is used to flood a switch with bogus MAC addresses
MAC flooding
______ is sending mass emails in the hope of getting a small percentage response
Phishing
_______ is creating a fabricated situation to extract information or access - more time consuming, does not rely on the urgency of phishing attacks
Pretexting
Petya and SamSam are examples of _____
Ransomware
What is signature recognition?
Refers to an IDS that is programmed to identify known attacks through common digital fingerprints
______ perform active and passive scans of network to identify all SQL Server installations that may be hidden
SQLPing 3.0 and SQLRecon
Well known exploit in the GNU Bourne-Again Shell (BASH), a very popular command line shell used by Unix, Linux, Mac OS, and many Internet of Things devices
ShellShock
______ is sending targeted emails after performing reconnaissance on a target
Spear Phishing
_____ is a malware spread via infected USB drive or across a network as a worm. Designed to interfere with Siemens programmable logic microcontroller in order to make centrifuges operate at unsafe speeds while displaying proper speed .
Stuxnet
Unauthorized physical access such as holding the door open is known as _____
Tailgating
What is the GPL?
The General Public License (GPL) is the software licence that governs the Linux kernel and other open source software