Chapter 2 Q/A
6. Which of the following threat actors typically has the greatest access to resources? A. Nation-state actors B. Organized crime C. Hacktivists D. Insider threats
A. Nation-state actors Nation-state actors are government sponsored, and they typically have the greatest access to resources, including tools, money, and talent.
17. Tom's organization recently learned that the vendor is discontinuing support for their customer relationship management (CRM) system. What should concern Tom the most from a security perspective? A. Unavailability of future patches B. Lack of technical support C. Theft of customer information D. Increased costs
A. Unavailability of future patches Tom's greatest concern should be that running unsupported software exposes his organization to the risk of new, unpatchable vulnerabilities. It is certainly true that they will no longer receive technical support, but this is a less important issue from a security perspective. There is no indication in the scenario that discontinuing the product will result in the theft of customer information or increased costs.
5. What organizations did the U.S. government help create to help share knowledge between organizations in specific verticals? A. DHS B. SANS C. CERTS D. ISACs
D. ISACs The U.S. government created the Information Sharing and Analysis Centers (ISACs). ISACs help infrastructure owners and operators share threat information, and provide tools and assistance to their members.
19. Edward Snowden was a government contractor who disclosed sensitive government documents to journalists to uncover what he believed were unethical activities. Which two of the following terms best describe Snowden's activities? (Choose two.) A. Insider B. State actor C. Hacktivist D. APT E. Organized crime
A. Insider C. Hacktivist As a government contractor, Snowden had authorized access to classified information and exploited this access to make an unauthorized disclosure of that information. This clearly makes him fit into the category of an insider. He did so with political motivations, making him fit the category of hacktivist as well.
8. Which one of the following is the best example of a hacktivist group? A. Chinese military B. U.S. government C. Russian mafia D. Anonymous
D. Anonymous The Chinese military and U.S. government are examples of nation-state actors and advanced persistent threats (APTs). The Russian mafia is an example of a criminal syndicate. Anonymous is the world's most prominent hacktivist group.
16. Ursula recently discovered that a group of developers are sharing information over a messaging tool provided by a cloud vendor but not sanctioned by her organization. What term best describes this use of technology? A. Shadow IT B. System integration C. Vendor management D. Data exfiltration
A. Shadow IT The developers in question are using unapproved technology for business purposes. This is the classic definition of shadow IT. It is possible to describe this as data exfiltration, but there is no indication that the data security has been compromised, so shadow IT is a better description here. Remember, you will often be asked to choose the best answer from multiple correct answers on the exam.
11. Greg believes that an attacker may have installed malicious firmware in a network device before it was provided to his organization by the supplier. What type of threat vector best describes this attack? A. Supply chain B. Removable media C. Cloud D. Direct access
A. Supply chain Tampering with equipment before it reaches the intended user is an example of a supply chain threat. It is also possible to describe this attack as a direct access attack because it involved physical access to the device, but supply chain is a more relevant answer. You should be prepared to select the best possible choice from several possible correct answers when you take the exam. Security+ questions often use this type of misdirection.
9. What type of assessment is particularly useful for identifying insider threats? A. Behavioral B. Instinctual C. Habitual D. IOCs
A. Behavioral Behavioral assessments are very useful when you are attempting to identify insider threats. Since insider threats are often hard to distinguish from normal behavior, the context of the actions performed—such as after-hours logins, misuse of credentials, logins from abnormal locations, or abnormal patterns—and other behavioral indicators are often used.
7. Of the threat vectors listed here, which one is most commonly exploited by attackers who are at a distant location? A. Email B. Direct access C. Wireless D. Removable media
A. Email Email is the most common threat vector exploited by attackers who use phishing and other social engineering tactics to gain access to an organization. The other vectors listed here, direct access, wireless, and removable media, all require physical proximity to an organization and are not easily executed from a remote location.
4. Which one of the following attackers is most likely to be associated with an APT? A. Nation-state actor B. Hacktivist C. Script kiddie D. Insider
A. Nation-state actor Advanced persistent threats (APTs) are most commonly associated with nation-state actors. It is unlikely that an APT group would leverage the unsophisticated services of a script kiddie. It is also unlikely that a hacktivist would have access to APT resources. Although APTs may take advantage of insider access, they are most commonly associated with nation-state actors.
14. Which one of the following threat research tools is used to visually display information about the location of threat actors? A. Threat map B. Predictive analysis C. Vulnerability feed D. STIX
A. Threat map Threat maps are graphical tools that display information about the geographic locations of attackers and their targets. These tools are most often used as interesting marketing gimmicks, but they can also help identify possible threat sources.
3. Kolin is a penetration tester who works for a cybersecurity company. His firm was hired to conduct a penetration test against a health-care system, and Kolin is working to gain access to the systems belonging to a hospital in that system. What term best describes Kolin's work? A. White hat B. Gray hat C. Green hat D. Black hat
A. White hat Attacks that are conducted as part of an authorized penetration test are white-hat hacking attacks, regardless of whether they are conducted by internal employees or an external firm. Kolin is, therefore, engaged in white-hat hacking. If he were acting on his own, without authorization, his status would depend on his intent. If he had manicous intent, his activity would be considered black-hat hacking. If he simply intended to report vulnerabilities to the hospital, his attack would be considered gray hat. Green hat is not a commonly used category of attacker.
1. Which of the following measures is not commonly used to assess threat intelligence? A. Timeliness B. Detail C. Accuracy D. Relevance
B. Detail Although higher levels of detail can be useful, they aren't a common measure used to assess threat intelligence. Instead, the timeliness, accuracy, and relevance of the information are considered critical to determining whether you should use the threat information.
12. Ken is conducting threat research on Transport Layer Security (TLS) and would like to consult the authoritative reference for the protocol's technical specification. What resource would best meet his needs? A. Academic journal B. Internet RFCs C. Subject matter experts D. Textbooks
B. Internet RFCs All of these resources might contain information about the technical details of TLS, but Internet Request for Comments (RFC) documents are the definitive technical standards for Internet protocols. Consulting the RFCs would be Ken's best option.
15. Vince recently received the hash values of malicious software that several other firms in his industry found installed on their systems after a compromise. What term best describes this information? A. Vulnerability feed B. IoC C. TTP D. RFC
B. IoC Specific details of attacks that may be used to identify compromises are known as indicators of compromise (IoCs). This data may also be described as an adversary tool, tactic, or procedure (TTP), but the fact that it is a set of file signatures makes it more closely match the definition of an IoC.
13. Wendy is scanning cloud-based repositories for sensitive information. Which one of the following should concern her most, if discovered in a public repository? A. Product manuals B. Source code C. API keys D. Open source data
C. API keys All of these items could be concerning, depending on the circumstances. However, API keys should never be found in public repositories because they may grant unauthorized individuals access to information and resources.
20. Renee is a cybersecurity hobbyist. She receives an email about a new web-based grading system being used by her son's school and she visits the site. She notices that the URL for the site looks like this: https://www.myschool.edu/grades.php&studentID=1023425 She realizes that 1023425 is her son's student ID number and she then attempts to access the following similar URLs: https://www.myschool.edu/grades.php&studentID=1023426 https://www.myschool.edu/grades.php&studentID=1023427 https://www.myschool.edu/grades.php&studentID=1023428 When she does so, she accesses the records of other students. She closes the records and immediately informs the school principal of the vulnerability. What term best describes Renee's work? A. White-hat hacking B. Green-hat hacking C. Gray-hat hacking D. Black-hat hacking
C. Gray-hat hacking Renee was not authorized to perform this security testing, so her work does not fit into the category of white-hat hacking. However, she also does not have malicious intent, so her work cannot be categorized as a black-hat attack. Instead, it fits somewhere in between the two extremes and would best be described as gray-hat hacking.
18. Which one of the following information sources would not be considered an OSINT source? A. DNS lookup B. Search engine research C. Port scans D. WHOIS queries
C. Port scans Port scans are an active reconnaissance technique that probe target systems and would not be considered open source intelligence (OSINT). Search engine research, DNS lookups, and WHOIS queries are all open source resources.
2. What language is STIX based on? A. PHP B. HTML C. XML D. Python
C. XML STIX is an XML-based language, allowing it to be easily extended and modified while also using standard XML-based editors, readers, and other tools.
10. Cindy wants to send threat information via a standardized protocol specifically designed to exchange cyber threat information. What should she choose? A. STIX 1.0 B. OpenIOC C. STIX 2.0 D. TAXII
D. TAXII TAXII, the Trusted Automated eXchange of Indicator Information protocol, is specifically designed to communicate cyber threat information at the application layer. OpenIOC is a compromise indicator framework, and STIX is a threat description language.