CCST - Cybersecurity
The responsibilities for a Junior Security Analyst are:
1- Preparation and Prevention. 2- Monitoring and Investigation. 3- Response.
What is the best approach to prevent a compromised IoT device from maliciously accessing data and devices on a local network?
Place all IoT devices that have access to the Internet on an isolated network.
What is the most common goal of search engine optimization (SEO) poisoning?
to increase web traffic to malicious sites
What is Nessus?
used to scan systems for software vulnerabilities
What debugging security tool can be used by black hats to reverse engineer binary files when writing exploits?
WinDbg
What is the National Vulnerability Database (NVD)?
a U.S. government repository of standards-based vulnerability management data that uses the Security Content Automation Protocol (SCAP)
Describe attack complexity as a criterion of Base Metric Group Exploitability
a metric that expresses the number of components, software, hardware, or networks, that are beyond control of the attacker and that must be present in order for a vulnerability to be successfully exploited
What is the purpose of packet analyzers?
aka. packet sniffers, intercept and log network traffic.It captures each packet, shows the values of various fields in the packet, and analyzes its content. It is able to capture network traffic on both wired and wireless networks.
Vulnerability Scanners
assess computers, computer systems, networks, or applications for weaknesses. Vulnerability scanners help to automate security auditing by scanning the network for security risks and producing a prioritized list to address weaknesses.
Why does an organization need to conform to a standard data governance framework?
to ensure that an organization can manage data in a consistent manner and ensure that data is trustworthy
What are the two important components of a public key infrastructure (PKI) used in network security?
Certificate authority Digital Certificates
Describe HIPAA:
A regulatory law that regulates the identification, storage, and transmission of patient personal healthcare information
What type of cipher encrypts plaintext one byte or one bit at a time?
A stream cipher
What is a feature of the ANY.RUN malware sandbox?
ANY.RUN is an online sandbox tool with interactive reporting functions. Multiple malware samples can be uploaded to ANY.RUN for analysis. It also has the ability to capture screenshots of interactive elements of the malware.
What is the Electronic Communications Privacy Act (ECPA)?
Aims to ensure work place privacy and protects a range of electronic communications, such as email and telephone conversation, from unauthorized interception, access, use, and disclosure
What is a characteristic of the security onion analogy to visualizing defense-in-depth?
All layers of the onion must be penetrated to gain access to vulnerable assets.
Defense-in-Depth/Layered Security
An approach that involves deploying multiple layers of security controls and measures to protect systems and data. If one layer is compromised, other layers can still provide protection.
What type of activity occurs during the deployment phase of the asset lifecycle?
An asset is moved from inventory to in-use.
If a SOC has a goal of 99.999% uptime, how many minutes of downtime a year would be considered within its goal?
Approximately 5 minutes per year.
What is a denial-of-service (DoS) attack?
Attacks aimed at rendering a network, system, or service unavailable by overwhelming it with a flood of illegitimate requests or excessive traffic.
What is a man-in-the-middle (MitM) attack?
Attacks where an attacker intercepts and alters communication between two parties without their knowledge. This allows the attacker to eavesdrop, modify, or steal information.
What names are given to a database where all cryptocurrency transactions are recorded?
Blockchain & Ledger
Describe camouflage in reference to security coding techniques?
Camouflage replaces sensitive data with realistic fictional data.
A cybersecurity analyst needs to collect alert data. What are three detection tools to perform this task in the Security Onion architecture?
CapME Wazuh Zeek
A cyberanalyst is looking for an open source malware analysis tool that can run locally on the network. Which tool would meet the needs of the cyberanalyst?
Cuckoo Sandbox
What is Cuckoo Sandbox?
Cuckoo Sandbox is a popular free malware analysis system sandbox. It can be run locally and have malware samples submitted to it for analysis. A number of other online public sandboxes exist.
What type of attack uses zombies?
DDoS
TCP port 53 and UDP port 53
DNS Domain Name System: Resolves domain names to corresponding IP addresses
Which parameter is used to identify applications when a user sends a service request to a remote server?
Destination port number
For what purpose would a network administrator use the Nmap tool?
Detection and identification of open ports
A recent audit shows that several devices and systems allowed unsecure remote access. Which policy changes would prevent this from occurring?
Disable unsecured remote access, such as Telnet• Require secure remote access, such as SSH and VPN
UDP port 67 is used by:
Dynamic Host Configuration Protocol (DHCP) - Server
Describe output encoding in reference to security coding techniques?
Ensure it is safe to display and will not result in code execution. This can help prevent issues like Cross-Site Scripting (XSS) in web applications.
A recent audit shows that several company servers were not updated with the latest patches. Which policy changes would prevent this from occurring?
Establish a plan to update / test the latest patches at regular intervals.
TCP ports 21 is used by:
FTP - Control
TCP ports 20 is used by:
FTP - Data
An e-commerce website encourages users to authenticate using their individual social media account credentials. What type of a security solution enables users to use the same credentials to login to multiple networks belonging to different enterprises?
Federated identity management links the electronic identity of a subject across separate identity management systems, such as being able to access several websites using the same social login credentials. From a user perspective, federated identity management can provide a single sign-on for the web.
Any device that controls or filters traffic going in or out of the network is known as a ___________.
Firewall
What technology can be used to protect the integrity of data in transit?
Hashing Data integrity refers to the accuracy and validity of the data. Hashing is used to ensure the integrity of data as it moves between devices.
A cyber security analyst is reviewing security alerts in Sguil. What are three pieces of information included in an alert to identify the device generating the alert?
IP protocol number, source and destination Layer 4 port, and source and destination IP address
A software company uses a public cloud service for hosting software development and deployment services. The company is concerned that software code in development might leak to competitors and result in the loss of intellectual property. Which security coding techniques can the company implement to address the concern?
Implement a multi-factor authentication process. Use an advanced encryption algorithm. Obfuscation Camouflage
An organization is implementing security requirements for teleworkers to access the corporate network. What are two examples of technical control for the implementation?
Install and configure a VPN appliance. Enable multi-factor authentication.
Why does IoT technology pose a greater risk than other computing technology on a network?
Internet of Things devices often lack robust security measures, making them susceptible to attacks. Vulnerabilities in IoT devices can lead to unauthorized access, data breaches, or control manipulation.
Which two tools used for incident detection can be used to detect anomalous behavior, to detect command and control traffic, and to detect infected hosts?
Intrusion Detection System and NetFlow
Describe input validation in reference to security coding techniques?
It involves rigorously checking user or system inputs before processing to prevent common attacks such as SQL Injection or Cross-Site Scripting (XSS). Ensure all input is validated before use, using techniques like whitelisting allowable inputs, length checks, and format checks.
What is the Nmap utility used for?
It is an open source tool for scanning vulnerabilities of systems and networks. It can identify open ports on a host.
What is an advantage for small organizations of adopting IMAP instead of POP?
Messages are kept in the mail servers until they are manually deleted from the email client.
Which protocol is used by the Cisco Cyberthreat Defense Solution to collect information about the traffic that is traversing the network?
NetFlow
What is a botnet?
Networks of compromised computers controlled by a central attacker, typically used for launching coordinated attacks, distributing spam, or conducting DDoS attacks.
A recent audit shows that forty percent of all organization passwords audited were cracked within 6 hours. Which policy changes would prevent this from occurring?
New password policy:• Implement 2FA or MFA• User passphrases• Change passwords only after evidence of compromise• No reuse of old passwords• No reuse of passwords on different applications• Enable copy/paste passwords• Educate users on basic cybersecurity
Which tool is used to provide a list of open ports on network devices?
Nmap/Zenmap
Which technology creates a security token that allows a user to log in to a desired web application using credentials from a social media website?
Open Authentication
A network administrator notices that several company wireless access points are using WEP for encryption and authentication. The administrator needs to update the encryption and authentication configurations. Which security policy would address the process of updating AP configurations?
Organizational Policy Since the hotspots are part of the company's assets, the organizational policy would address any change control or asset management practices.
A medical office employee sends emails to patients about recent patient visits to the facility. What information would put the privacy of the patients at risk if it was included in the email?
Patient Records
Registered Ports
Ports 1024 - 49151. These ports typically accompany non-system applications associated with vendors and developers.
Which criterion in the Base Metric Group Exploitability metrics reflects the level of access needed for a successful attack?
Privileges required - a metric that captures the level of access that is required for a successful exploit of the vulnerability
What is the Computer Fraud and Abuse Act (CFAA) of 1986?
Prohibits the unauthorized access of computer systems. Knowingly accessing a government computer without permission or accessing any computer used in or affecting interstate or foreign commerce is a criminal offense.
What is a function of a protocol analyzer?
Protocol analyzers capture packets on the network and can look into the various fields of the packets to detect network problems. It analyzes the value and contents of the captured packets.
Which stage of the kill chain used by attackers focuses on the identification and selection of targets?
Reconnaissance
Which criterion in the Base Metric Group Exploitability metrics expresses the number of authorities that need to be involved?
Scope - a metric that expresses whether multiple authorities must be involved in an exploit
TCP ports 22 is used by:
Secure Shell (SSH) Secure File Transfer Protocol (SFTP) runs over 22 as a subsystem
What is Sguil?
Sguil provides a console to view alerts generated by network security monitoring tools. The alerts will usually include five-tuples of information and time stamps. The five-tuples include the source and destination IP address, source and destination Layer 4 ports, and the IP protocol number.
TCP port 25 is used by:
Simple Mail Transfer Protocol (SMTP) - Used to transmit and route email from sender to the recipients address. Works with message transfer agent software which searches DNS servers to resolve email address to IP.
Which tool can perform real-time traffic and port analysis, and can also detect port scans, fingerprinting and buffer overflow attacks?
Snort
What is a difference between symmetric and asymmetric encryption algorithms?
Symmetric encryption algorithms use pre-shared keys while asymmetric encryption algorithms use different keys to encrypt and decrypt data.
The IT security team of an organization is charged with cybersecurity threat assessment and risk management. Which Cisco service would assist the task by providing information about security incident detection rule sets for the Snort.org, ClamAV, and SpamCop network security tools?
Talos
TCP ports 23 is used by:
Telnet
What is used by PKI entities to verify the validity of a digital certificate?
The Certificate Revocation List (CRL) contains a list of revoked certificate serial numbers that have been invalidated because they have expired. The CRL can be polled by PKI entities to determine the validity of the digital certificate in question.
What is CIPA?
The Children's Internet Protection Act (CIPA) requires that K-12 schools and libraries in the United States use Internet filters and implement other measures to protect children from harmful online content as a condition for federal funding.
What is COPPA?
The Children's Online Privacy Protection Act (COPPA) is a law created to protect the privacy of children under 13. The Act was passed by the U.S. Congress in 1998 and took effect in April 2000. COPPA is managed by the Federal Trade Commission (FTC).
What is the IoT (internet of things)
The connection of a broad array of physical devices to the internet, enabling data collection and management via software. Can include: Sensors and equipment
What is IMPACT?
The international multilateral partnership against cyber threats -- a global partnership of world governments, industries, and academia dedicated to improving global capabilities when dealing with cyber threats.
What is obfuscation?
The process of hiding original data within random characters or data. This transforms the data so that its true meaning is not apparent to any unauthorized user or system in possession of it
What is hardening?
The process of securing a system by reducing vulnerabilities, removing unnecessary services, implementing security controls, and following best practices to minimize the attack surface.
The HTTP server has responded to a client request with a 200 status code. What does this status code indicate?
The request was completed successfully.
After running an nmap scan of a system, you receive scan data that indicates the following three ports are open:22/TCP443/TCP1521/TCP What services commonly run on these ports?
These three TCP ports are associated with SSH (22), HTTPS (443), and Oracle databases (1521).
What is GFI LANguard?
This is a network security scanner which detects vulnerabilities.
What is L0phtcrack?
This is a password auditing and recovery application.
What is a SIEM (Security Information and Event Management) system utilized for?
This is a technology used in enterprise organizations to provide real time reporting and long-term analysis of security events.
What is Tripwire?
This tool assesses and validates IT configurations against internal policies, compliance standards, and security best practices.
The Security Operations Center (SOC) Three-Tier Model:
Tire 1: Junior Security Analyst - Triage Specialist Tire 2: Security Operations Analyst - Incident Responder Tire 3: Security Operations Analyst - Threat Hunter.
An organization needs to implement a solution that would enable them to determine the order of security events occurring on the network. What technology should be implemented?
To accurately timestamp events on a network, time must be synchronized between devices. Network Time Protocol (NTP), allows devices on the network to synchronize their time with an NTP server or master clock.
What is that main function of the Cisco Security Incident Response Team?
To ensure company, system, and data preservation
A recent audit shows that several wireless hotspots used WEP for encryption and authentication. Which policy changes would prevent this from occurring?
Upgrade wireless hotspots to the most secure encryption and authentication available
Which criterion in the Base Metric Group Exploitability metrics reflects the presences or absence of a user?
User interaction - second component of the attack complexity metric that expresses the presence or absence of the requirement for user interaction in order for an exploit to be successful
Which of the following protocols use the Advanced Encryption Standard (AES)?
WPA and WPA2
Which method of wireless authentication can take advantage of identity verification using a Radius server?
WPA2-Enterprise
What is meant by the term "Sniffing"?
When an attacker listens and captures packets sent on neatwork at attempt to discover password
A recent audit shows that several accounts were identified for employees that are no longer employed by ACME. Which policy changes would prevent this from occurring?
When an employee leaves the company:• Review all access permission• Retrieve data from the employee if appropriate• Terminate access and reset all passwords
A user is surfing the Internet using a laptop at a public WiFi cafe. What should be checked first when the user connects to the public network?
if the laptop requires user authentication for file and media sharing
Well Known Ports
port numbers in the range of 1-1024 that identify network applications that are well known such as web, email, and remote login applications
The IT team of an organization is updating the policy and procedures regarding recovery controls. What are three examples of recovery controls?
server clustering database shadowing backup/restore operations fault tolerance drive systems
A recent audit shows that several user accounts allowed unauthorized and escalated privileges and accessed systems and information without formal authorization. Which policy changes would prevent this from occurring?
•Assign the least privilege to perform the task •Log when elevated privileges are used
