infosec
Which of the following is used to perform "Google Hacking"?
"Google Hacking" refers to using search phrases to identify vulnerable services and devices on the web.
Write the switch to add to an Nmap scan to record the path to the target:
--traceroute (or --tr)
Put the stages of Microsoft's Security Development Lifecycle (SDL) into the correct order: 1 Answer 1 2 Answer 2 3 Answer 3 4 Answer 4 5 Answer 5 6 Answer 6 7 Answer 7
1 - Training, 2 - Requirements, 3 - Design, 4 - Implementation, 5 - Verification, 6 - Release, 7 - Response
What port on a firewall must be opened to allow an SSH connection to a web server?
22
What type of test can prevent abuse of a password mechanism by a script?
A CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) challenge.
What is the use of a Registry Viewer when performing incident response?
A Registry Viewer allows the contents of the Registry in a captured image to be analyzed on the forensics workstation.
What is the difference between a blackhole and a sinkhole?
A blackhole simply drops traffic while a sinkhole routes it to a different network. This relieves the production network and provides some possibility to recover legitimate traffic or analyze the attack.
What type of policy governs management of backup and archiving?
A data retention policy.
What is the difference between a directory service and RADIUS?
A directory service is a database of network users and other objects. Remote Authentication Dial-In User Service (RADIUS) is a type of Authentication, Authorization, Auditing (AAA) service. The RADIUS protocol can be used by an access device on the network edge to query a directory service for user information without having to store the information or process credentials locally.
What type of system is placed in a network segment for the sole purpose of providing administrative access to other servers and appliances in the same segment?
A jump box (or jump server)
What distinguishes an incident summary report from a lessons learned report?
A lessons learned report is a technical report designed for internal use. An incident summary report may be distributed more widely to stakeholders.
What type of wireless analysis would report radio spectrum usage rather than capture packets?
A site survey would use spectrum analysis to report RF strength at different locations but from a security point-of-view you might use this to detect rogue access points (or other unauthorized radio stations).
What is a maturity model?
A statement of how well-developed a system or business process (such as security assurance) is. Most maturity models progress in tiers from a naïve state to one where the organization demonstrates best practice and can assist other organizations in their development.
What is Schneier's Law?
A system architect is not necessarily best placed to assert the robustness of the security system they designed. Penetration is a different skillset and area of expertise to design so scrutiny that is independent of the architecture team is usually advisable.
What type of software or hardware should be installed before a forensics workstation is connected to a hard drive seized as evidence?
A write blocker.
What type of attack does MAC limiting mitigate?
ARP spoofing and flooding attacks.
What is an APT?
Advanced Persistent Threat - an attacker's ability to obtain, maintain, and diversify access to network systems.
Identify the type of policy that BEST matches each of the following descriptions and examples (use each policy type ONCE or not at all): Affects backup procedures and resourcing Answer 1 Governs the creation and publication of reports Answer 2 Affects contractor offboarding procedures Answer 3 Affects BYOD policies and procedures Answer 4
Affects backup procedures and resourcing - Data retention policy, Governs the creation and publication of reports - Data classification policy, Affects contractor off-boarding procedures - Account management policy, Affects BYOD policies and procedures - Data ownership policy
What are the main functions of SIEM?
Aggregate data from different sources, analyze it for correlating risk indicators, and alert and present information. Additionally, SIEM is useful for archiving and compliance.
What type of policy might include or supplement a BYOD policy?
An acceptable use policy (though you might also argue that data ownership and classification policy will impact use of mobile devices).
What type of system isolation ensures that the host is physically disconnected from any network?
An air gap.
What is the difference between an audit and an evaluation?
An audit is typically a very formal process completed against some sort of externally developed or enforced standard or framework. An evaluation is a less methodical process more dependent on the judgement of the evaluator.
How do you distinguish non-critical from critical systems?
Analyze business processes and identify the ones that the business could not afford not to run. The assets that support these essential services and functions are critical assets.
What are the three main types of fuzzer?
Application UI, protocol, and file format.
What type of threat is NAC designed to mitigate?
Attaching devices that are vulnerable to exploits, such as unpatched systems, systems without up-to-date intrusion detection, unsupported operating systems or applications software, and so on.
Following the CompTIA Cybersecurity Analyst syllabus, what type of verification or Quality Control process has been omitted from the following list? Evaluations Assessments Maturity Model Certification
Audits
Following the CompTIA Cybersecurity Analyst syllabus, which type of log identified as important for manual review has been omitted from the following list? Firewall log Syslogs Event logs
Authentication logs (or audit logs more generally)
Following the CompTIA Cybersecurity Analyst syllabus, which rule of engagement for penetration testing has been omitted from the following list? • Scope • Timing • Exploitation • Communication • Reporting
Authorization
Following the CompTIA Cybersecurity Analyst syllabus, network-related symptom requiring incident response has been omitted from the following list? Bandwidth consumption Irregular peer-to-peer communication Rogue devices on the network Scan sweeps Unusual traffic spikes
Beaconing
Following the CompTIA Cybersecurity Analyst syllabus, which type of context-based authentication has been omitted from the following list? Time Location Frequency
Behavioral
Why is "big data" of relevance to security analysis?
Big data refers to the ability to store and search high volume, high velocity (constantly changing) unstructured data sets. The data captured by security appliances (log files, packet captures, scan results, and so on) fits this description.
What mechanism is used to ensure the confidentiality and integrity of messages passing between a RADIUS client and a RADIUS server?
Both are configured with the same shared secret
How is scan scope most likely to be configured?
By specifying a target IP address or IP address range. Different products have different methods of storing this information (as groups or targets for instance)
Which of the following are fields in an Ethernet frame?
CRC, Type
Which forensics tool is particularly suited to analysis of data on mobile devices?
Cellebrite's Universal Forensic Extraction Devices (though both AccessData and EnCase have mobile products for their forensics platforms).
What documentation is called out as supporting forensics investigations in the CSA+ syllabus?
Chain of Custody form, Incident Response plan, Incident form, Call / Escalation lists.
What is the principal advantage of the Nexpose vulnerability scanner?
Close integration with Metasploit allows for active testing of discovered vulnerabilities.
Categorize the following threats as known, unknown or zero-day: Code injection DoS on web server application zero-day Encrypted traffic with unidentified but non-blacklisted remote IP address unknown DDoS attack on web services known Malware signature detected in file known Remote shell commands issued by end-user workstation unknown Phishing attempt on senior manager's personal email account known
Code injection DoS on web server application - Zero-day, Encrypted traffic with unidentified but non-blacklisted remote IP address - Unknown, DDoS attack on web services - Known, Malware signature detected in file - Known, Remote shell commands issued by end-user workstation - Unknown, Phishing attempt on senior manager's personal email account - Known
What is a C2 server?
Command & Control server managing the malware installed on hosts from an external network.
What is a "CSIRT"?
Computer Security Incident Response Team
The CompTIA Cybersecurity Analyst syllabus identifies two principal factors for prioritizing remediation actions: Answer and Answer .
Criticality and Difficulty of Implementation
What type of training allows employees to develop a multi-disciplinary skillset?
Cross-training.
Which of the following processes would you NOT expected to be running under services.exe? Csrss.exe, Lsass.exe, Svchost.exe, SearchIndexer.exe, Spoolsv.exe.
Csrss.exe and Lsass.exe.
Why is it necessary to include marketing stakeholders in the incident response process?
Data breaches can cause lasting reputational damage so communicating failures sensitively to the media and the wider public and protecting the company's brand is important.
Following the CompTIA Cybersecurity Analyst syllabus, scope of impact factor contributing to incident prioritization has been omitted from the following list? Downtime Recovery time Economic System process criticality
Data integrity
Detect port scans using port mirroring nids Can be deployed without affecting existing appliance or host resource requirements - nids Detection algorithms can be vulnerable to packet fragmentation - nids Can identify changes to system files - hids
Detect port scans using port mirroring - NIDS, can be deployed without affecting existing appliance or host resource requirements - NIDS, Detection algorithms can be vulnerable to packet fragmentation - NIDS, Can identify changes to system files - HIDS
How does the Intelligence-Driven Computer Network Defense white paper categorize defensive capabilities?
Detective, destructive, degrading, disruptive, denying, deceptive.
What techniques are used to reduce the host attack surface when hardening systems?
Disable unnecessary interfaces, services, and ports. Uninstall unnecessary software and ensure the system is fully patched. Configure the minimum possible user accounts and system privileges.
What are the scope of impact factors governing incident prioritization?
Downtime, recovery time, data integrity, economic impact, criticality of process.
A company requires two IT administrators to authorize the deployment of a new VM. This type of policy is referred to as ___________.
Dual Control
What secure communications methods are suitable for incident response?
During a serious event, the essential point is to assume that internal communication channels might be compromised. Third party messaging products with end-to-end encryption should be secure enough for most institutions but those processing extremely sensitive information might require the use of bespoke products.
Following the CompTIA Cybersecurity Analyst syllabus, which preventative class of cybersecurity tool or technology has been omitted from the following list? IPS / HIPS Firewall Anti-virus / Anti-malware Web Proxy Web Application Firewall (WAF)
EMET (Enhanced Mitigation Experience Toolkit)
What are the main four actions that must be performed in validating that an infected host has been remediated?
Establish patch management, audit permissions, scan for software or configuration vulnerabilities, and verify continuous monitoring via logging and event recording.
When an asset is non-compliant in terms of best practice security controls, a process of _________ managment is used to explain and mitigate the lack of controls.
Exception Management
If you are operating a robust security management plan for the corporate data network, what additional consideration(s) might protecting SCADA infrastructure demand?
Expertise in managing SCADA systems might be lacking. Such systems are likely to be unfamiliar to staff expert in PC networks and expertise may also be highly product-specific.
Following the CompTIA Cybersecurity Analyst syllabus, which digital forensics suite has been omitted from the following list? EnCase Helix Sysinternals Cellebrite
FTK (Forensic Toolkit) - we also mention The Sleuth Kit / Autopsy in our course, though this is not on the CompTIA syllabus itself.
True or false? OpenVAS is a the vulnerability feed for numerous other scanners rather than a vulnerability scanner in its own right.
False
True or false? A port that is reported as "closed" by Nmap is likely to be one protected by a firewall
False - a closed port responds to probes with a RST because there is no service available to process the request. This means that the port is accessible through the firewall. A port blocked by a firewall is in the "filtered" state.
True or false? The best definition of a compensating control is "a legal or insurance agreement to agree financial compensation for data breaches or other severe information assurance failures".
False - a compensating control mitigates the lack of or failure of other controls more generally (it could include a technical control such as backup)
True or false? Where it contains critical results, a scan report should be sent to the user of the affected workstation so that remediation can take place as soon as possible.
False - scan reports should be acted on by admininstrators not end users.
True or false? When making a cryptographic hash of the contents of a hard drive, the same command line utility must be used to validate the hash?
False - the utilities implement standard algorithms so the output of 'certutil sha1' should be the same as 'sha1sum' (for instance).
What part of the NIST Cybersecurity Framework is used to provide a statement of current cybersecurity outcomes?
Framework Profile.
Which of the following is NOT a means of enforcing network segmentation? Select one: a. Blackhole b. GPO c. Air Gap d. VLAN e. Firewall
GPO
Following the CompTIA Cybersecurity Analyst syllabus, what type of data output from network reconnaissance results has been omitted from the following list? Firewall logs Packet captures Nmap scan results Event logs Syslogs
IDS report
What IEEE standard is the basis for many endpoint security systems?
IEEE 802.1X (Port-based Network Access Control)
Why might manual review of authentication logs be required as part of reviewing security architecture?
If unauthorized access is suspected but has not been flagged by SIEM (discover and eliminate false negatives).
Your UTM has prevented the transfer of SQL data from a sales database containing customer records to an external IP address from a workstation on the Windows domain network. A partial transfer of information has already occurred. What are your priorities and how should the incident be managed going forward?
Initiate a lockdown of premises and urgently review the physical system and network traffic / system logs to determine whether the attacker was physically present and could attempt to remove the data on physical media. If possible, analyze a packet trace to determine what information was breached. Prepare for a forensic investigation of the compromised system and for a report to stakeholders about what information could have been disclosed.
A jump box is a host used to provide remote administrative access to appliances and servers within the same security zone.
Jump box (or jump server)
Your SIEM has flagged unusually high incidence of CPU spikes on multiple workstations across the network, mostly occurring early in the morning. No server systems seem to be affected. What (if any) incident response actions should you perform?
Log a low priority incident and attempt to correlate (is a faulty patch causing the issue for instance?) Discount malicious actors by analyzing network traffic, looking for scan attempts. Continue at a heightened alert level if no definitive cause can be identified.
Identify the technology used to perform the following specific tasks (select each tool ONCE only or not at all): Log traffic information using a command-line utility tcpdump Perform packet injection hping Graphical utility for analyzing captured frames wireshark frames processed by the network adapter libcap
Log traffic information using a command-line utility - tcpdump, Perform packet injection - hping, Graphical utility for analyzing captured frames - wireshark, Read frames processed by the network adapter - libpcap
What type of firewall rule provides detective rather than preventive security control?
Log-only
Which type of hash algorithm provides the best compatibility across different products and utilities?
MD5
What is "MSSP"?
Managed Security Service Provider
Following the CompTIA Cybersecurity Analyst syllabus, what type of incident response process stakeholder has been omitted from the following list? HR Legal Marketing
Management
ollowing the CompTIA Cybersecurity Analyst syllabus, which means of hardening a system or network against threats has been omitted from the following list? Compensating controls Blocking unused ports / services Patching
Mandatory Access Control (MAC)
Which of the following tools can be used to execute vulnerability scans? (choose ALL that apply)
Nessus, Qualys, Nexpose
Should the occurrence of an observable generate an administrative alert?
No - observables are the "raw" events. Observables are correlated as indicators and a number of indicators matching a rule might identify an incident and (depending on severity) be configured to alert an administrator.
Following the CompTIA Cybersecurity Analyst syllabus, which part of a digital forensics investigation suite has been omitted from the following list? Imaging utilities Analysis utilities Chain of Custody Hashing utilities Mobile device forensics Password crackers Cryptography tools Log / file system / registry / USB viewers Account / application data viewers
OS and process analysis
Which of the following resources would be MOST useful for informing developers about potential security issues in application code? Select one: a. ModSecurity b. OWASP ZAP c. CIS Top 20 d. OWASP Top 10
OWASP Top 10
Which file system locations are of principal interest to an attacker seeking to obtain OS or network password hashes for decryption?
On Windows the SAM (Security Account Manager) file or NTDS.DIT (on a Domain Controller). On Linux, typically the /etc/shadow' file.
What is a compensating control?
One that mitigates the lack of or failure of other controls.
Breach of which of the following types of data represents the greatest risk in terms of regulatory compliance?
PHI
What is PtH?
Pass-the-Hash - establishing a session by presenting the hash of a password.
What are the principal configuration issues to consider when installing a NIDS?
Placement of the sensor to capture relevant network traffic and tuning of the detection rules to minimize false positives and false negatives.
What is succession planning?
Planning for the provision of a range of competencies at different levels of seniority throughout an organization. This ensures that if there is an event that adversely affects the availability of senior decision makers, staff that remain have the skills and experience to step into those roles.
What switch feature allows a NIDS to monitor traffic for all connected hosts?
Port mirroring or spanning.
What business process must be involved in providing source authenticity?
Procurement - source authenticity is all about oversight of the supply chain.
What is PHI?
Protected Health Information - such as medical and insurance records and hospital / lab test results.
Following the CompTIA Cybersecurity Analyst syllabus, which type of point-in-time analysis has been omitted from the following list? Packet analysis Traffic analysis Netflow analysis Wireless analysis
Protocol analysis
What mechanism can be used to prove the identity of hosts and software applications?
Public Key Infrastructure (PKI) encryption - issuing hosts and signing executable code with digital certificates.
What is a RAT?
Remote Access Trojan - software that gives an adversary covert remote control of a host.
Selecting from only the options in the CompTIA Cybersecurity Analyst syllabus, which incident response containment technique is MOST effective at preventing data breach?
Removal
What policy restriction can improve the security of hosts used to manage network infrastructure?
Restrict Internet / web access to whitelisted sites and allow only whitelisted software to be installed.
What containment technique requires most resources to implement?
Reverse engineering.
If a company terminates the use of a process that was high risk, the remediation plan they are pursuing is called risk Answer
Risk Avoidance
Following the CompTIA Cybersecurity Analyst syllabus, which type of NAC policy has been omitted from the following list? Time-based Rule-based Location-based
Role-based
Following the CompTIA Cybersecurity Analyst syllabus, which source of identity-related security issues has been omitted from the following list? Personnel Endpoints Servers Services Applications
Roles
Which of the following devices would be used for NAT?
Router
Which of the following is NOT a source of threat intelligence information? Select one: a. FireEye b. SANDS c. Microsoft d. Alien Vault
SANDS
Which protocol is used for Windows File and Printer Sharing?
SMB
To perform reverse engineering on malware, you should first set up a lab environment that is isolated from the production network in a
Sandbox
What preparatory step should be taken before using USB media to store forensic images?
Sanitize (wipe) the media.
Following the CompTIA Cybersecurity Analyst syllabus, which action in the validation phase of incident response has been omitted from the following list? Patching Permissions Verify logging / communication to security monitoring
Scanning
Following the CompTIA Cybersecurity Analyst syllabus, which requirement for incident response communication processes has been omitted from the following list? Limit to trusted parties Disclosure based on regulatory / legislative requirements Prevent inadvertant release of information
Secure method(s) of communication
What is "SAML"?
Security Assertion Markup Language
What is a horizontal brute force attack?
Selecting obvious passwords and attempting them against multiple user names. This circumvents the account lockout policies that defeat attempts to brute force a password.
Name two widely used open source NIDS:
Snort and Bro.
Which of the following is NOT used primarily for traffic analysis: Cacti, NetScout, Solar Winds, Snort.
Snort is an intrusion detection tool rather than a packet or traffic analyzer.
What steps would you take to investigate irregular peer-to-peer communication?
Start an incident response ticket and log all actions taken. Identify the IP addresses involved. On a LAN work out the identity of each host and the accounts and services running on them. On the Internet, use IP reputation services and geoIP to identify the host(s). Raise the logging and packet capture level to monitor the communications. Try to identify the traffic - if it contains sensitive data consider closing the channel to prevent further release of information.
Following the CompTIA Cybersecurity Analyst syllabus, which SDLC security testing phase has been omitted from the following list? Web app vulnerability scanning Fuzzing / stress test application Use interception proxy to crawl application User Acceptance Testing Security regression testing Input validation
Static code analysis / manual peer review
What UNIX / Linux software is a de facto standard for centralized log collection?
Syslog.
What part of a forensic toolkit preserves the integrity of physical evidence?
Tamper-proof seals (or tamper-evident bags).
Who is the author of the "Critical Security Controls"?
The Center for Internet Security (CIS), founded by the SANS (SysAdmin, Network, and Security) Institute.
What is CVE?
The Common Vulnerabilities and Exposures (CVE) database - cybersecurity vulnerabilities in published operating systems and applications software.
What is the difference between Metasploit Framework and Armitage?
The Metasploit Framework is the tools used to craft and launch exploits (and manage the database of information discovered). Armitage is a GUI front-end for Metasploit (with additional team collaboration features).
Apart from identifying patch status, what information is reported by MBSA?
The Microsoft Baseline Security Analyzer can also identify administrative vulnerabilities (configuration errors or variance from best practice).
What is the use of "MRTG"?
The Multi Router Traffic Grapher is used to visualize traffic flows.
What additional information is returned if you run netstat with the -o switch on a Windows PC? Would you expect the same result in Linux?
The Process ID (PID) of the software that initiated the connection. In Linux, -o controls timing; the -p switch returns the PID.
What would you use Sysinternals for?
The Sysinternals Suite contains a number of tools for investigating the properties of Windows hosts. You can use the tools to investigate processes, autoruns, access permissions, and so on.
The represents a linear stage-by-stage approach to software development. By contrast, the performs the function of each stage concurrently on smaller modules or sub-projects.
The Waterfall Model is linear while Agile Development is modular.
How could SQL injection facilitate an XSS attack?
The attacker could use the SQL injection vulnerability to inject malicious HTML or PHP code into the application. When the browser views the infected page, it will run the code.
In what way can behavioral or location metrics improve the security of authentication methods?
The metrics can reveal intrusion attempts such as a script attempting a large number of logons from different locations.
How does the regulatory environment affect vulnerability scanning?
The regulator might impose requirements on types of scans and scan frequency to remain compliant.
What feature of a token-based authentication system makes it resistant to replay attacks?
The token is time stamped
A technician attending a user who has been complaining about frequent lockups and logoffs with his machine has discovered a large cache of encrypted zipped files stored within the "System Volume Information" folder. What are your priorities for incident response and what tools will you use?
This must be flagged as an important incident that requires the attention of multiple skilled incident responders. You must learn the content of the files, discover whether there has been a data breach, and try to identify the adversary. You will need to use forensic tools to investigate the presence of APT malware and network transmissions, analyzing log files and Registry changes on the compromised host. You may also try to use decryption tools to try to decipher the encrypted archives.
How can a threat be classified if it is unknown?
Threat intelligence and analysis of historical attacks provides research and information about the overall security landscape and the Tactics, Techniques, and Procedures (TTP) of known cyber adversaries. This research can create a domain of "known unknowns" where you can generalize likely targets without knowing the exact methodology and devise appropriate detection and response countermeasures.
Following the CSA+ syllabus, what are the four types of NAC policy?
Time-, rule-, role-, or location-based.
What type of analysis assesses threat levels with regard to historical information?
Trend analysis.
True or false? A self-service password mechanism can be protected by 2-step verification.
True
Following the CompTIA Cybersecurity Analyst syllabus, which host-related symptom requiring incident response has been omitted from the following list? Processor / memory / drive capacity consumption Malicious processes Unauthorized changes / privileges Data exfiltration
Unauthorized Software
What is the best means of protecting a host against ARP cache poisoning?
Use a host-based intrusion detection agent.
What is the best means of protecting session cookies?
Use encrypted HTTPS only and restrict the use of the cookie to the application path. You can also set the cookie to be accessible only to HTTP and not by JavaScript.
What are the three general levels of security outsourcing?
Using individual consultancies, contracting a Managed Security Services Provider (MSSP), or using a Security as a Service (SECaaS) cloud provider.
In the context of federated identity management, what is automated provisioning?
Using software to communicate changes in account status and authorizations between systems rather than having an administrator intervene to do it manually.
What is packet injection?
Using software to write packets directly to the network stream, often to spoof or disrupt legitimate traffic.
What tools are available to perform passive environmental reconnaissance?
Web search ("Google Hacking"), email harvesting, social media harvesting, DNS harvesting, and website ripping.
Blue TeamWhite TeamRed Team
White Team] - run the test. • [Red Team] - test defences. • [Blue Team] - run defences.
Following the CompTIA Cybersecurity Analyst syllabus, which factor influencing frequency of vulnerability scanning has been omitted from the following list? Risk appetite Regulatory requirements Technical constraints
Workflow
A prevents data on a target drive from being changed by filtering commands at the driver and OS level.
Write Blocker
What is the effect of running 'tcpdump -i eth0 -w server.pcap'?
Write the output of the packet capture running on network interface eth0 to the 'server.pcap' file.
Your SIEM has alerted you to ongoing scanning activity directed against workstations and servers. The host intrusion detection on each target has blocked access to the source IP automatically. What are your options and considerations for investigating this incident?
You will want to identify the actor behind the scanning attempts, possibly without alerting him to the fact that he has been discovered. Log the incident and initiate a confidential response process. Gather information about the source IP and how it has been compromised. Verify that no successful exploits have been launched against critical systems. If you require additional evidence, consider using a honeypot to draw the attacker out. Ensure heightened monitoring across the network.
Identify the type of analysis being performed in each case by dragging the appropriate label into the box (use each label ONCE only or not at all): blank - monitor user account for use of non-whitelisted applications. blank - correlate individual data points to an indicator of compromise. blank - analyze deviations from baseline usage. blank - identify "sparse" scanning techniques.
[Behavioral analysis] - monitor user account for use of non-whitelisted applications. [Heuristic analysis] - correlate individual data points to an indicator of compromise. [Anomaly analysis] - analyze deviations from baseline usage. [Trend analysis] - identify "sparse" scanning techniques.
Drag the appropriate label over the marker for each of the following security information dictionaries (use each label ONCE only or not at all): blank - cybersecurity vulnerabilities in operating systems and application software. blank - configuration best practice statements. blank - flaws in the design and development of software.
[CVE] - cybersecurity vulnerabilities in operating systems and application software. [CCE] - configuration best practice statements. [CWE] - flaws in the design and development of software.
Identify the type of defensive capability being described in each case by dragging the appropriate label into the box (use each label ONCE only): detect - IDS system alerts that a port scan is being run against a host. detroy - A-V software quarantines a malware-infected file. disrupt - a firewall uses an IP reputation blacklist to block outbound connections selectively. decieve - adversary launches a successful Pass-the-Hash attack against a honeypot server.
[Detect] - IDS system alerts that a port scan is being run against a host. [Destroy] - A-V software quarantines a malware-infected file. [Disrupt] - a firewall uses an IP reputation blacklist to block outbound connections selectively. [Deceive] - adversary launches a successful Pass-the-Hash attack against a honeypot server.
Identify the type of countermeasure being used in each case by dragging the appropriate label into the box for each description (use each label ONCE only or not at all): blank - a network set up to invite attacks for the purpose of studying adversary techniques, tactics, and procedures. blank - a network port or path where packets are dropped or discarded. blank - a network segment facing an untrusted external network. blank - a network segment receiving traffic diverted from the production network under high load.
[Honeynet] - a network set up to invite attacks for the purpose of studying adversary techniques, tactics, and procedures. [Blackhole] - a network port or path where packets are dropped or discarded. [DMZ] - a network segment facing an untrusted external network. [Sinkhole] - a network segment receiving traffic diverted from the production network under high load.
Drag the label showing the appropriate type of documentation to the marker for each of the following tasks (use each label ONCE only or not at all): blank - standard procedure for detection of malware on an application server. blank - identify, classify, and prioritize a reported incident. blank - identify stakeholders for escalated incident response. blank - identify evidence collected during incident response.
[Incident Response Plan] - standard procedure for detection of malware on an application server. [Incident Form] - identify, classify, and prioritize a reported incident. [Call List] - identify stakeholders for escalated incident response. [Chain of Custody Form] - identify evidence collected during incident response.
Select the BEST tool to use to perform each of the following tasks by dragging the label to the appropriate box (use each label ONCE only or not at all): blank - collect traffic statistics by SNMP polling. blank - analyze endpoint traffic flows. blank - aggregate logs from multiple network appliances. blank - aggregate and analyze high volume, high velocity data.
[MRTG] - collect traffic statistics by SNMP polling. [SolarWinds] - analyze endpoint traffic flows. [Kiwi Syslog] - aggregate logs from multiple network appliances. [Splunk] - aggregate and analyze high volume, high velocity data.
entify the type of identity exploit being performed in each case by dragging the appropriate label into the box (use each label ONCE only or not at all): blank - using ARP spoofing to intercept communications. blank - deploying an "evil twin" access point to harvest authentication credentials. blank - using a phishing email to send a crafted URL that will intercept browser form POST actions. blank - performing DoS against a client then re-establishing access using crafted cookies.
[Man‑in‑the‑Middle] - using ARP spoofing to intercept communications. [Impersonation] - deploying an "evil twin" access point to harvest authentication credentials. [Cross‑site Scripting] - using a phishing email to send a crafted URL that will intercept browser form POST actions. [Session Hijack] - performing DoS against a client then re-establishing access using crafted cookies.
Identify the framework being described in each case by dragging the appropriate label into the box (use each label ONCE only or not at all): blank - scalable methodology for risk-driven information assurance. blank - commercial IT governance framework with security as a core component. blank - IT security framework developed by an agency of the US government. blank - best practice framework for aligning IT service management with business needs.
[SABSA] - scalable methodology for risk-driven information assurance. [COBIT] - commercial IT governance framework with security as a core component. [NIST] - IT security framework developed by an agency of the US government. [ITIL] - best practice framework for aligning IT service management with business needs.
Following the CompTIA syllabus, on a Windows machine the ________ utility might be used for password cracking while on a Linux machine, the _________ utility would be used instead.
cain and john ripper
True or false? An organization's incident response team must always be drawn exclusively from permanent employees.
false
True or false? One drawback of NIDS is that each sensor must be installed independently on its own network segment so there is no means of consolidating detection events across the whole network.
false
What is the advantage of the Nmap 'grepable' output format?
grep is a Linux command for running a regular expression to search for a particular string. Nmap's grepable output is easier for this tool to parse.
What API or APIs (software libraries) typically facilitates packet capture on Linux and Windows systems?
libpcap on Linux and Winpcap on Windows. You might also mention the Airpcap library for sniffing wireless traffic.
Which of the following tools is NOT of use in determining whether a process is being used maliciously?
psexec
Which Windows executable (enter the image name and extension) is the host process for programs that typically run without an interactive window? Answer:
services.exe
Drag the labels to put the components into the correct order of volatility (use each label ONCE only or not at all): blank - most volatile. blank - more volatile. blank - less volatile. blank - least volatile.
system ram -most volatile HDD more volatile syslog server less volatile dvd-r least volatile
True or false? A company could outsource aggregation, correlation, and analysis of security event information to a cloud provider. Select one:
true
True or false? A cyber adversary may attempt to perform covert data exfiltration by encoding data in the packet headers or payloads of a protocol in non-standard ways. Select one:
true
True or false? Key components of a standard digital forensics kit deal with technologies such as SATA, SAS, M.1, USB, and Firewire.
true
True or false? Nmap can be used to test that the ACLs configured on a firewall are appropriate.
true
True or false? OpenSSL is a means of implementing certificate-based identity assurance.
true
True or false? Sysinternals is a collective or detective class of cybersecurity tool.
true
True or false? The failure of a service such as DNS is a strong indicator that a related attack is imminent of may be underway. Select one:
true
Which of the following is NOT a valid Windows system process name?
winiinit.exe
controls
• An identification, authentication, and authorization access control system is an example of a [Logical] type of security control. • A mantrap is an example of a [Physical] type of security control. • Separation of dutites is an example of a [Administrative] type of security control.
Which of the following is used to perform "Google Hacking"?
: Search operator
Why should a firewall be configured to block packets from an external network with source IP addresses belonging to the internal network?
: The packets must have spoofed IP addresses
What classes of security control are identified by the CSA+ syllabus?
Physical, logical, and administrative.
What type of scan is supported by the commercial Tenable Nessus product but not the open source OpenVAS?
Agent-based scans (though it is possible to configure two installations in a master/slave relationship, Windows is not well-supported).
What is an APT?
Advanced Persistent Threat
What is an "axfr"?
A DNS zone transfer (returning all the records in the zone) named after the switches used to initiate it by the dig tool.
Why might an SLA be a barrier to remediating a vulnerability?
A Service Level Agreement (SLA) is likely to specify maximum downtime periods or minimum uptime guarantees. If remediating the vulnerability will cause downtime the SLA may be breached. Also, maintenance windows might restrict the timing of service intervals. It is best to agree exceptions in the SLA so that critical vulnerabilities can be patched promptly.
What is firewalking?
A technique for probing the rules configured on a firewall.
What is "NX"?
Address space protection technology
What are the main phases in a typical "kill chain"?
Planning, reconnaissance, weaponization / exploit, lateral discovery, data exfiltration, retreat.
You are deploying a web application to a PaaS cloud. What step must you take before running a web application vulnerability scan?
Contact the cloud provider to obtain permission to perform scanning.
Following the CompTIA Cybersecurity Analyst syllabus, which factor influencing scanning criteria has been omitted from the following list? Sensitivity levels Vulnerability feed Scope Types of data Server-based versus agent-based
Credentialed versus non-credentialed
What is a plug-in, in the context of vulnerability management?
Plug-in refers to vulnerability feeds in Tenable Nessus. A vulnerability feed contains information about new exploits and security patches.
What is a CISO?
Chief Information Security Officer - a senior executive with overall responsibility for information assurance and systems integrity.
Which of the following password policies provides the BEST defense against a brute force password guessing attack?
Passwords must be at least 8 characters
Apart from regulatory and corporate policy and asset identification, what requirement has significant impact on the vulnerability management process?
Data classification (marking information as confidential or top secret for instance).
What type of reverse engineering tool recovers the programming language source code from a binary file?
Decompiler.
Apart from arbitrary code execution, what is the principal exploit of a system with a buffer overflow vulnerability?
Denial of Service through crashing the process or host system.
Following the CompTIA Cybersecurity Analyst syllabus, which activity for analyzing the output of a vulnerability scan and validating results has been omitted from the following list? Identify false positives and exceptions Prioritize response actions Compare to best practice or compliance Reconcile results Review related logs or other data sources
Determine trends
Which of the following is not a firewall product or vendor? ASA, Check Point, Palo Alto, EMET.
EMET is a Microsoft tool for enforcing Data Execution Protection and other anti-malware CPU features.
Following the CompTIA Cybersecurity Analyst syllabus, which environmental reconnaissance procdure has been omitted from the following list? Topology discovery OS fingerprinting / Service discovery Packet capture Log / router / firewall ACL review Social media profiling Social engineering DNS harvesting Phishing
Email harvesting
What administrative control(s) will best reduce the impact of an attack where a user gains control over an administrator's account?
Ensure accounts are configured with the least privileges necessary. This makes it less likely that a "root" or "domain admin" account will be compromised. Use logging and separation of duties to detect intrusions.
What is the function of the -A switch in Nmap?
Performs service detection (verify that the packets delivered over a port correspond to the "well known" protocol associated with that port) and version detection (using the scripts marked "default").
True or false? Most pen tests should be defined with an open-ended scope to maximize the chance of detecting vulnerabilities
False - a pen test must have clearly defined parameters for a number of reasons (such as cost, business impact, confidentiality, measurable goals and outputs). A pen test report would suggest if additional testing in different areas of the security system was recommended.
True or false? Most pen tests should be defined with an open-ended scope to maximize the chance of detecting vulnerabilities.
False - a pen test must have clearly defined parameters for a number of reasons (such as cost, business impact, confidentiality, measurable goals and outputs). A pen test report would suggest if additional testing in different areas of the security system was recommended.
True or false? Data exfiltration is always the last stage in a typical kill chain.
False - the attacker may maintain access or retreat (and attempt to destroy any evidence that the attack took place).
At what stages of software development will use of an interception proxy be most useful?
Generally in the post-implementation stages, as it is run against the published code (testing, deployment, and maintenance).
At what stage of the SDLC will source code analysis and code review principally be performed?
In the implementation phase.
What are the principal factors involved in calculating risk?
Likelihood (chance of the threat being realised) and impact (costs if the threat is realised).
The basic factors for calculating risk are Answer
Likelihood and impact
Which of the following can be used to actively test whether a vulnerability is exploitable? (choose ALL that apply) Select one or more: a. John the Ripper b. Metasploit c. OpenVAS d. Armitage e. Bro f. Nikto g. Nexpose
Metasploit, Armitage, Nexpose
What security activities are most appropriate during the maintenance phase of software development?
Monitoring, incident response, and patch management.
Is Nikto best described as a vulnerability scanner or WAF or interception proxy?
Nikto is a vulnerability scanner.
What is OSINT?
Open Source Intelligence
What is the role of the blue team during a pen test?
Operate the security system to detect and repel the intrusion.
Following the CompTIA Cybersecurity Analyst syllabus, which inhibitor to remediation of vulnerabilities has been omitted from the following list? MOU / SLA Business process interruption Degrading functionality
Organizational governance
What type of vulnerability scanning is being performed if the scanner sniffs traffic passing over the local segment?
Passive scanning.
Following the CompTIA Cybersecurity Analyst syllabus, which requirement in the vulnerability management process has been omitted from the following list? Corporate policy Data classification Asset inventory (critical and non-critical)
Regulatory environments
What can you do to reduce a high number of false positives returned when performing vulnerability scanning?
Remove non-applicable vulnerabilities from the scan, update heuristics baselines, create exceptions, and run credentialed scans.
What methods can you use to validate the results of a vulnerability scan?
Repeat the scan (possibly using a different scanner), review logs and other data sources, and compare to compliance or configuration baselines. You might also attempt to actively exploit a vulnerability using pen testing.
How do technical constraints impact scanning frequency?
Scanning can cause system instability and consume network bandwidth so is best performed when the network is not heavily utilized or when the target systems are performing critical tasks.
What is a CoA matrix?
Security controls can be defined in terms of their function (preventive, detective, deterring, and so on). A Course of Action matrix maps the controls available for each type of function to adversary tools and tactics.
Identify the best tool to use to perform the following tasks by dragging the appropriate label into the box (use each label ONCE only or not at all): blank - actively test input validation routines. blank - scan web server for known vulnerabilities. blank - use interception proxy to crawl application. blank - deploy a WAF to IIS.
[Peach] - actively test input validation routines. [Nikto] - scan web server for known vulnerabilities. [Burp] - use interception proxy to crawl application. [ModSecurity] - deploy a WAF to IIS.
Describe one advantage and one disadvantage of using the -T0 switch when performing an Nmap scan?
This sets an extremely high delay between probes, which may help to evade detection systems but will take a very long time to return results.
What are the six rules of engagement for pen testing?
Timing, scope, authorization, exploitation, communication, and reporting.
What is the principal challenge in scanning UDP ports?
UDP does not send ACK messages so the scan must use timeouts to interpret the port state. This makes scanning a wide range of UDP ports a lengthy process
If an attacker succeeds in attaching a rogue device to a switch port, what network design principle(s) can reduce the impact of the attack?
Use VLANs and ACLs to restrict the scope of access from any one port. Unused ports should be disabled or redirected to a "blackhole" VLAN. You could also suggest using Network Access Control (NAC) to authenticate devices attaching to a port.
How do you run a specific Nmap script or category of scripts?
Use the --script argument with the script name or path or category name
What is "UAT" in the context of software development?
User Acceptance Testing - often "beta" software testing by a test group managed by the developer and/or the end customer.
How is a ping sweep performed using native command line tools only?
Using a script to supply the variables (octet values) and loop through them.
Identify the type of system MOST likely to be affected by the vulnerability described by dragging the appropriate label into the box (use each label ONCE only or not at all): blank - exploit unmonitored disk and network resources for data exfiltration. blank - perform DoS on manufacturing process. blank - exploit to perform Man-in-the-Middle attack on default gateway. blank - perform DoS on shared cloud web server.
[Internet of Things Appliance] - exploit unmonitored disk and network resources for data exfiltration. [SCADA Management Server] - perform DoS on manufacturing process. [Network Switch] - exploit to perform Man-in-the-Middle attack on default gateway. [Virtual Host] - perform DoS on shared cloud web server.
Drag the marker representing the most appropriate tool to use to perform the following tasks (use each tool ONCE only): blankCorrect - perform a zone transfer. blankCorrect - identify address autoconfiguration. blankCorrect - test the local subnet for host responses. blankCorrect - identify the path taken to communicate with a host. blankCorrect - show the process using a listening port on the local host blankCorrect - identify the OS of a remote host.
[nslookup] - perform a zone transfer. [ipconfig] - identify address autoconfiguration. [ping] - test the local subnet for host responses. [tracert] - identify the path taken to communicate with a host. [netstat] - show the process using a listening port on the local host [nmap] - identify the OS of a remote host.
Drag the label containing the switch over the appropriate marker to perform each of the following Nmap scan types (use each label ONCE only or not at all): blankCorrect - half-open scan. blankCorrect - full connect scan. blankCorrect - connectionless scan. blankIncorrect - "Christmas Tree" scan.
[‑sS] - half-open scan. [‑sT] - full connect scan. [‑sU] - connectionless scan. [‑sX] - "Christmas Tree" scan.
A chart mapping the capabilities represented by security controls to known adversary tactics is known as a Answer
course of action matrix
Write the command to use Nmap to scan IP addresses but suppress a port scan on the local subnet if the local host is configured with IP address 172.16.17.48 and subnet mask 255.255.240.0 (for the purpose of this question, you must write the IP of the network address rather than any of the valid host addresses):
nmap -sn 172.16.16.0/20
A troubleshooting utility outputs a series of lines such as: "1 <10ms 1ms 10.1.0.1" - which utility is being used?
tracert
True or false? You could use the command 'netstat -sp TCP' to check the number of reset connections since the local Windows host last booted.
true