CYSA+ (CS0-001)
What are the Incident Recovery Phases? (CEVCR)
1.) Containment 2.) Eradication 3.) Validation 4.) Corrective Actions 5.) Incident Summary Reporting.
What are the phases of Vulnerability scanning?
1.) Detection 2.) Remediation 3.) Testing
What are the 3 main purposes of network scanning?
1.) Finding live devices or IPs in use. 2.) Determining what ports are open / closed. 3.) Identify exploitable vulnerabilities.
What are the steps of the vulnerability management process? (RFCSRRM)
1.) Identify Requirements 2.) Establish Scanning Frequency 3.) Configure Scanning Tools 4.) Scan Systems 5.) Generate Reports 6.) Remediate Systems 7.) Continuous Monitoring
List 4-5 examples of foot printing.
1.) Search Engines --> Google, Web-Site Caching. 2.) Job Postings --> Provides tech used. 3.) Social networking --> Leverage SM to gain info. 4.) Company Websites --> HTML reveals alot of info. 5.) Email headers 6.) WhoIS --> Domain information, addresses, phone numbers, etc. 7.) DNS --> Review records to identify IP addresses.
What is the most current version of CVSS?
3.0
What constitutes a high score in CVSS terms?
6.1-9.9
What does the command dig afxr indicate?
A DNS Zone Transfer. Typically run in a Linux environment.
What is a Sheep Dip System?
A Sheep Dip system is a dedicated isolated system used to analyze suspect files or messages for Malware. There is usually port monitors and other tools installed to inspect the malware's behavior.
What is a known unknown in respect to vulnerabilities?
A known unknown means a known vulnerability that has no current mitigation.
In the event that devices won't respond to an ICMP request, what can be done to harvest IP information?
ARP request.
What authentication technology is NTLM associated with?
Active Directory
What information can be found via Netstat?
Active TCP Connections, Running Executables and Routing Information.
What is AirCrack-ng?
Aircrack-Ng is a packet capture/security tool for wireless security.
What is Aircrack-ng?
Aircrack-ng is a suite of tools used to assess Wireless Network Security. It can also be used as a wireless packet sniffer.
What is Alien Vault?
Alien Vault is a SIEM.
What is Alienvault?
Alien Vault is a developer that creates multiple open source products including OSSIM (Open Source Security Information Management). Alien Vault also hosts the Open Threat Exchange (OTX) which is the largest crowd-sourced computer security platform.
Explain the difference between an attack Vector and an attack type and provide examples of each.
An attack vector is the channel used or device that is attacked. Mobile devices, cloud computing, insider attack and botnets are all examples of attack vectors. An attack type is the type of attack used. Examples include: Operating systems, misconfigurations, Application level attacks and shrink wrap.
What is Dig?
Dig is the UNIX version of nslookup.
Explain Doxing.
Doxing is the posting of PII online. Usually done by hackers.
What law requires the vulnerability scanning on information systems operated by Federal agencies?
FISMA or Federal Information Security Management Act.
Which type of organization is most subject to vulnerability scan requirements?
Federal Agencies.
What is the first step of a cyber attack and it's purpose?
Footprinting is the first step of a cyber attack. Footprinting is passive information gathering and allows the attacker to narrow the scope.
What is Helix?
Helix is a forensic software used for monitoring internet usage, hashing, data exfiltration etc.
What method is used to identify previously un-encountered malware?
Heuristic or behavior analysis.
What level of impact must a system have under FISMA before the organization is required to determine what info is discoverable by adversaries?
High
What ISO standard contains information about IT Security Management System Requirements?
ISO 9000
What are the 5 NIST functions in the Cybersecurity Framework?
Identify, Protect, Detect, Respond and Recover
What is Imperva?
Imperva is a Web Application Firewall.
What is Imperva?
Imperva is a Web-Application Firewall (WAF).
What does MFT/INDX contain that would be useful for a forensics investigation?
Information about file changes.
What does Information Event ID 1102 describe?
Informational Event 1102 is a clear to the audit log.
What is Informational event 4719?
Informational event 4719 is a change to the Audit Log policy which in some cases can be a sign of a cyber attack.
Why is SMS not recommended as an authentication method?
Insecure and easy to target via VoIP
What is Kiwi Syslog?
Kiwi Syslog is a SIEM product owned by Solarwinds. It's used to collect events, SNMP traps etc to correlate events.
What type of vulnerability is Dirty COW.
Linux Privilege Escalation
What is MBSA?
MBSA or Microsoft Baseline Security Analyzer is a vulnerability scanner for Windows products. It checks for missing security updates and recommendations and provides reports. The last supported OS for MBSA was Server 2012 and Windows 8.1
What is MD5Sum/SHASum?
MD5Sum and SHASum are both file integrity checkers used to compute hashes on files.
What is MRTG?
MRTG or Multi Router Traffic Grapher is a monitoring tool that can be used to monitor bandwidth on a variety of network devices using SNMP.
What is MTD?
MTD or Max Tolerable Downtime is the max tolerable downtime that a company can withstand for a particular system. MTD is sometimes also referred to as MPTD (Max Period Time of Disruption).
According to NIST, an outage of 30% of users email would cause what level of functional impact?
Medium
Where is the best place to look for memory information is only an offline image is available?
Memory Dump
What is the Metasploit Framework?
Metasploit Framework is a product developed by Rapid7 which allows a security engineer to not only identify vulnerabilities but package exploit payloads and run them on remote systems for penetration testing purposes. It also leverages the Nexpose exploit database (also a Rapid7) product for exploit data.
What is Microsoft SDL File / Regex Fuzzer
Microsoft has a set of tools included in the SDL (Security Development LifeCycle) and Regex Fuzzer is one of them that tests code for vulnerabiliteis via fuzzing.
What is ModSecurity?
ModSecurity is a Web Application Firewall (WAF).
How is a system categorized if information disclosure would have a severe adverse affect on the organization?
Moderatec
What is NAXSI?
NAXSI is a Web-Application Firewall (WAF).
What is Peach Fuzzer?
Peach Fuzzer is a robust fuzzing application used to test the OWASP top 10 web application security vulnerabilities.
What's the difference between perfmon and resmon?
Perfmon includes more detailed info such as USB host controllers.
What is QRadar?
QRadar is a SIEM.
What is QRadar?
QRadar is a Security, Information & Events Management (SIEM) system produced by IBM.
What is Qualys?
Qualys is one of the first available Vulnerability Management platforms.It can be deployed as SAS.
How often must PCI-DSS compliant organizations perform vulnerability scans?
Quarterly.
What is RUM?
RUM or Real User Monitoring is a passive monitoring method that captures and analyzes every transaction of every user. It is used as a form of Web-Vulnerability Scanning.
What level of access should be provided for credentialed scans?
Read-Only.
What is a Red Team / Blue Team
Red team is a security group that is trying to offensively trying to find weaknesses in a company's security systems, while the Blue team is the defensive security group. This usually refers to groups during a penetration testing exercise.
What was Stuxnet aimed at?
SCADA Systems
Explain SOW.
SOW or statement of work is a document constructed to determine the rules of engagement during penetration testing and other security activities.
What NIST publication contains info about cybersecurity incident handling?
SP 800-61
Which act governs financial records of publicly traded companies?
Sarbanes-Oxley Act (SOX)
What does the NMAP -sn flag mean?
Scan hosts + ports.
What does the NMAP -ps [Port List] flag mean?
Scans designated ports via TCP/Syn for service discovery.
What does the NMAP -sL flag mean?
Scans live hosts only, no port scans.
What type of Windows logs capture information about file deletions?
Security logs.
What does the NMAP -pn flag mean?
Skips hosts and scans every IP address.
What is Snort?
Snort is an open source IDS/IPS.
What is SourceFire?
Sourcefire is an IDS based off of Snort. Now owned by Cisco.
What is the best method to sanitize SSDs?
Special commands that are HW Vendor specific.
What is Splunk?
Splunk is one of the most prevalent Security, Information and Event Management systems. It is used by NITOAD.
Which memory analysis tool can be used on all operating system flavors?
The Volatility Framework.
Which tier is adaptive in the NIST CyberSecurity Framework?
Tier 4
What is Untidy?
Untidy is an XML fuzzer which uses invalid requests in attempt to cause exceptions on web-applications.
What is Vega?
Vega is a web proxy used to secure web traffic and application requests.
How many Echo requests/responses do Windows and Cisco systems send?
Windows: 4 Cisco: 5
What is ZAP?
ZAP or Zed Attack Proxy is an open source web application scanner that can be used for penetration testing and other security hardening. It's used as a proxy server in most cases.
What Linux commands are used to show current disk utilization?
df
What is tcpdump?
tcpdump is a networking analysis tool for sniffing packets. it runs on UNIX but has a Windows port called windump which uses WinpCap for capture.
What is the most severe computer log level?
0
What is ArcSight?
Arcsight is a SIEM.
What is ArcSight?
Arcsight is a Security, Information & Events Management (SIEM) system that uses correlation events to detect and monitor threats. ArcSight is owned by HP.
What is Bro?
Bro is an open source Intrusion Detection System (IDS).
What attack can be executed against RADIUS if the attacker has valid credentials and network traffic access
Brute Force
What is Burp Suite?
Burp Suite is a GUI tool used to test web application security. It can also be used as a proxy server.
What two files can contain encryption keys normally only stored in memory?
Core dumps and hibernation files.
What provides nomenclature for product names / versions?
CPE - Common Product Enumeration
What is Cacti?
Cacti is a web-based network monitoring / graphing tool. It uses SNMP for information.
What is Cellebrite?
Cellebrite is a forensics hardware/software toolkit used for extracting data off of mobile devices.
What is NAXSI?
NAXSI which stands for Ngix Anti-XSS and SQL injection is a UNIX based Web Application Firewall.
What does NAXSI stand for?
NGIX Anti-XSS and SQL Injection. NAXSI is a WAF.
What tool is ideal for scanning the network for IP addresses and open ports?
NMAP / ZenMap
What is Nagios?
Nagios is an open source monitoring and alerting tool. It can be configured to alert when an issue has occurred and been resolved.
What is NetFlow Analyzer?
NetFlow Analyzer is a ManageEngine product used to analyze a variety of flow technology data pipelines.
What tool is used to identify specific conversations on a network?
Netflow Analyzer
What is Network General?
Network General was the original packet sniffer and is now owned by NetScout. It works similar to other packet sniffers but is not as prevalent.
What is Nexpose?
Nexpose is a vulnerability scanning system developed by Rapid7.
What is Nikto?
Nikto is an open-source Vulnerability Scanner primarily used for Web-Server vulnerabilities.
What is OSSIM?
OSSIM or Open Source Security Information Management is a SIEM product now owned by AT&T.
What is OpenSSL?
Open SSL is a free set of encryption tools that is used to secure web-server communications. It serves the majority of all web-sites on the internet.
What is OpenVAS?
OpenVAS or Open Vulnerability Assessment System is an open-source Vulnerability Management / Vulnerability scanning platform.
What is Sysinternals?
Sysinternals is a website that contains a vast amount of information and utilities for Windows systems. Sysinternals contains many command line and IP utilities.