Practice Exam A - Vid Rev Aft 20
What is ISO/IEC 27002?
Code of prcatice for information security controls
What does a Site-to-site VPN do? What protocol do they typically use?
Connects two networks rather than just one device to a network. - Many are imlplemented using L2TP over IPsec
What does Continuouse delivery (CD) do?
Continuouse Delivery automates security checks in the testing process. You just click a button and the app is released into production.
What are two passive footprint recon methods?
Gathering OSINT and social engineering tactics
Are vulnerabilty scans invasive/intrusive?
No. Vulnerabilty scans are minimaly invasive/nonintrusive
What must you comply with is you are accepting credit card information on your website?
PCI DSS
ISO/IEC 27701
Proper maintenance/use of Privacy Information Management Systems (PIMS). Extends the ISO 27001 and 27002 standards to include detailed management of PII (Personally Identifiable Information) and data privacy.
What does the ssh command do?
Provides an encrypted communication channel. Used when connecting to a remote device. Runs on TCP port 22.
SSH port
Secure Shell uses tcp/22. same as telnet except uses encryption
What do the route print (windows) and netstat -r (linux) commands do?
The route print and netstat - r commands shows variouse potential routes used by a device along with gateway IP addresses.
What do IOS devices use in place of ping (ICMP)?
UDP over port 33434
What kind of firewall does PCI DSS require?
WAF
What do the ipconfig (windows) and ifconfig (Linux) commands do?
ipconfig/ifconfig return info on the ip configuration and adapters of the device you are querrying.
What does SASL stand for? What is it?
- Simple Authentication and Security Layer - Framework that many different application protocols can use to communicate securely. Can use Kerberos, client certificates, etc.
What does SNMPv3 provide? What is it used for?
- Simple Network Management Protocol version 3 - Confidentiality - Integrity - Authentication - Used to remotely manage network devices such as routers and switches. - Uses HTTPS
What port does an SSL VPN communicate over? What is an SSL VPN commonly used for? Does a SSL VPN require a concentrator? Does a SSL VPN typically require certs or passwords?
- TCP port 443 - Typically used to provides remote authenication for a single device and does not require a VPN concentrator. - Doesn't require digital certs or passwords unlike a VPN using IPSec.
What are 2 ways DNS poisoning can be performed
- modifying the host files on individual devices. - DNS spoofing - redirecting the traffic for the DNS server to a server under the attacker's control.
HTTPS port
443
What does FTK imager do?
A FTK imager captures images from drives and stores them in a way that can be read by other third party utilities. Side note - FTK imager provided with the key can also read encrypted drives.
What are 4 things a SWG can do?
A Secure Web Gateway - protect users and devices - monitor API usage such as queries and drop boxes - Examine JSON strings - Block malicouse content
What is a VPN concentrator? In what VPN scenario do firewalls commonly function as VPN concentrators?
A VPN concentrator is hardware or software that handles encryption and decryption for the VPN. Firewalls can function as VPN concentrators espeacially in the case of a site-to-site VPN.
What is a port scan?
A is a type of vulnerability scan that shows what ports and protocols are being used by devices on the network.
An organization is installing a UPS for their new data center. Which of the following would BEST describe this type of control? ❍ A. Compensating ❍ B. Preventive ❍ C. Administrative ❍ D. Detective
A. Compensating A compensating security control doesn't prevent an attack, but it does restore from an attack using other means. In this example, the UPS does not stop a power outage, but it does provide alternative power if an outage occurs.
What are 5 things a CASB can provide?
Authentication, integrity, compliance, threat detection, usage logs - Knows what apps are in use and by what users. - Can ensure users are complying with stuff like HIPPA and PCI DSS - Can implement authorization techniques - Can look at the actual transfer of data and ensure that sensitive data is encrypted - Can monitor all the API instance calls to look for exploitation attempts
A network administrator would like each user to authenticate with their personal username and password when connecting to the company's wireless network. Which of the following should the network administrator configure on the wireless access points? ❍ A. WPA2-PSK ❍ B. 802.1X ❍ C. WPS ❍ D. WPA2-AES
B. 802.1X uses a centralized authentication server, and all users can use their normal credentials to authenticate to an 802.1X network.
What does CI do? When is CI used?
Continuouse Integration (CI) - Automates security checks for the code written in the developement process - Used when code is continuousely written and merged into the central repository.
What does the memdump command do?
Copies information from the system memory to the standard output stream such as a USB drive.
What are Trojans used for?
Creating backdoors and dowloading PUPs (Potentialy Unwanted Programs)
What is cuckoo and what does it do?
Cuckoo is a sandbox used to test malware and run executables that have not been tested before. Can perform API calls, identify network traffic, and perform memory analysis.
What is Tcpreplay and what does it do?
Tcpreplay replays packets captured from tcpdump back onto the network to test security controls such as IPS signatures and firewall rules on other devices. Tcpreplay can be used to test and tune IP Flow/NetFlow devices. Tcpreplay can be used to stress test switches and routers.
SSAE SOC 2 type I audit
Test controls in place at a particular point in time.
SSAE SOC 2 type II audit
Test controls over a period of at least 6 consecutive months.
SSAE SOC 2 is developed by..
The American Institute of certified Public Accounts (AIPA)
What 2 modes can you use to send data over an IPsec tunnel? How are the packet structured for each mode?
Transport Mode - structures the packet IP Header -> IPsec Header -> Data -> IPsec trailer. Tunnel Mode - structures the packet New IP Header->IPsec Header -> IP Header -> Data -> IPsec Trailer. More secure because the IP Header isn't sent in the clear.
What are the 3 types of pen test environments?
Unknown Environment Know environment Partialy known environment
What are two ways vulnerability scans can be run?
Vulnerabilty scans can be catagorized as either credentialed or non-credentialed. - credentialed scans are run as an authorized user from inside the network. - non-credentialed scans are run without authorization from outside the network
What do vulnerability scans identify?
Vulnerabilty scans identify - systems and security devices - lack of security controls - misconfigurations - app and OS vulnerabilities
What are UTMs AKA?
Web security gateways?
What two things does Wardriving/Warflying use? What tools are commonly used?
WiFi monitoring and GPS locations Tools include Kismit, inSSIDer, and Wireless Geographic logging Engine
What is nessus?
nessus is a vulnerability scanner that not only finds vulnerabilities but ranks them based on importance and provides possible solutions.
What is nessus?
nessus is a vulnerabilty scanner that finds vulnerabilities, ranks them based on importance, and provides potential solutions
What do the nslookup (depricated) and dig (better version of nslookup) commands do? What information is returned?
nslookup and dig querry the DNS server to get information about the devices on the network. Info includes Cononical names, IP addresses, cache timers, etc.
Where can you find info on how OSINT can be gathered?
osintframework.com
What is scanless?
scanless is a way to proxy port scans (stealth mode) so your device looks like it is running from a different device
arp command
shows arp table for your local subnet which contains mac addresses with their coresponding IP addresses.
What does sn1per do? How can sn1per be run?
sn1per combines multiple recon tools to provide one set of querries and one set of outputs. sn1per can be run intrusively or in stealth mode. Side note - sn1per can return DNS info, check for DNS subdomains, run a TCP port scans using nmap, and scan http ports for info on the web server.
POP3 and IMAP
tcp/110 used for recieving mail not sending
IMAP4
tcp/143
VoIP/H.323
tcp/1720
FTP port
tcp/20 (active mode) or tcp/21 (control)
SFTP port
tcp/22 because it uses SSH
What port does Telnet use?
tcp/23 used to remotely login to network devices. non-encrypted
RDP (remote desktop protocol) port
tcp/3389
LDAP/LDAPS
tcp/389 used for client to communicate to LDAP server. LDAPS uses tcp/636
VoIP/SIP port
tcp/5060 tcp/5061
HTTP port
tcp/80
What is theHarvester?
theHarvester is a tool that compiles and presents OSINT. Can run a DNS brute force to find unknown hosts; vpn server, chat, email addresses, and partner.
What does tracecert do?
tracecert is a windows command that maps the entire path a packet takes to reach a destination.
NTP
udp/123
SNMPv3 port
udp/161
DNS port
udp/53 converts domain names to ip addresess.
DHCP port
udp/67, udp/68
SMB (server message block) AKA CIFS (Common Internet File System) port
used by windows for file sharing/printer sharing. tcp/445
What is TOCTOU?
TOCTOU is an attack that take advantage of a race condition.
What is CVSS?
- A feature of the NVD that provides quantitative and qualitative scores for each vulnerability - Contains versions 1 and 2 to pick from depenfing on your organizations desired outcome/risk appetite
What is an AH? What does the AH protocol provide? What does it guarantee? What is one thing it prevents? What does it commonly use?
- A hash of the packet and shared key that is shared between the two IPsec concentrators. - Authentication Header (AH) protocol - Provides integrity, guarantees authentication (because of the shared key used for the hash) and prevents replay attacks (uses sequence numbers). - Does not provide confidentiality. - Commonly uses SHA-2
Remote Attestation
- After the boot integrity steps the device provides a report of the hash values to a verification/attestation server. - The report is encrypted and digitaly signed with the keys that are a part of the TPM. - The attestation server then compares that report to the known goods that is has stored and either signs off on it or not.
What are Next-generation Firewalls (NGFW) AKA?
- Application layer gateways - Statefull multilayer inspection - Deep Packet Inspection
What are the 2 core protocols that may be used with IPsec?
- Authentication Header (AH) - Encapsulation Security Payload (ESP) - Usually both are used together
Who is NIST CSF designed for? What does NIST CSF provide? What are the 3 major areas of NIST CSF? What 5 aspects of cyber security does the NIST CSF framework core cover? What do the NIST CSF implementation tiers do and how many are there? What are NIST CSF profiles?
- Designed for commercial organizations. - Provides a high level view of cyber security. - Core, implementation tiers, and profile. - Framework Core - Identify, Protect, Detect, Respond, Recover Framework Implementation Tiers - Describe the degree to which an organization's risk management practices exibit the characteristics in the Framework. There are 4 tiers. Framework Profiles are organizations' alignment of their requirements, objectives, risk apetite, and resources agianst the desired outcome of the framework core. Profiles can be used to identify opertunities to improve an ornganization's security posture by comparing the current profile with a target profile.
What does ESP do? What does it commonly use?
- Encapsulation Security Payload (ESP) - Adds a header, a trailer, and an integrity check value - Encrypts and authenticates the tunneled data - commonly uses SHA-2 for the hash and AES for encryption
What does FTPS uses?
- File Transfer Protocol Secure uses SSL/TLS
What are the 3 different reports associated with SOC 2? What are they associated with? What are they a part of?
- Firewall reports, intrusion detection reports, and multi-factor authentication reports. - The reports are associated with Trust Services Criteria (security controls). - The reports are created as part of the SSAE SOC 2 type I/II audits.
What authentictaion framework do federations usually use?
- LDAP (lightweight Directory Access Protocol) or LDAPS (LDAP over SSL/TLS) - X.500 specifiaction
L2TP
- Layer 2 Tunneling Protocol - connects sites over a layer 3 network as if they were connecting at layer 2 - commonly implemented with IPsec. L2TP for the tunneling and IPsec for the encryption
What does NIST RMF stand for? Who is required to follow NIST RMF? What are the 6 steps of NIST RMF?
- National Institute of Standards and Technology - US federal agencies are required to follow NIST RMF - The 6 steps of the NIST RMF are catagorize, select, implement, assess, authorize, and monitor. - Catagorize (define the environment) - Select (pick apropriate controls) - Implement (define proper implementations) - Assess (determine if controls are working) - Authorize (make a decision to authorize a system) - Monitor (Check for ongoing compliance)
NVD
- National Vulnerability Data-base - contains list of CVE and corresponds with MITRE
Rainbow tables
- Prebuilt set of hashes - Needs different tables for different hashing methods - salt prevents this from working
What additional functionality does SFTP have over FTPS? What does SFTP use?
- SSH File Transfer Protocol uses SSH rather than SSL/TLS - Additional functionality - provides file system functionality such as getting directory listings and removing files - Can resume interupted transfers
What layer of the OSI model does IPsec provide security for? What does IP sec implement?
- Security for OSI layer 3. - Implements encryption and packet signing for confidentialty and integrity/anti-replay. Also provides authentication. - Very standarized so it can function with most venders appliances.
What kind of organization is CSA?
CSA is a not-for-profit-organization
What does CSA create?
The CSA creates a Cloud Control Matrix (CCM) that maps controls to standards, best practices, and regulations.
A security manager has created a report showing intermittent network communication from external IP addresses to certain workstations on the internal network. These traffic patterns occur at random times during the day. Which of the following would be the MOST likely reason for these traffic patterns? ❍ A. ARP poisoning ❍ B. Backdoor ❍ C. Polymorphic virus ❍ D. Trojan horse
B. Backdoor A backdoor would allow an attacker to access a system at any time without any user intervention. If there are inbound traffic flows that cannot be identified, it may be necessary to isolate that computer and examine it for signs of a compromised system. Side Note - Incorrect Answers C. Polymorphic virus Polymorphic viruses will modify themselves each time they are downloaded. Although a virus could potentially install a backdoor, a polymorphic virus would not be able to install itself without user intervention. D. Trojan horse A Trojan horse is malware that is hidden inside of a seemingly harmless application. Once the Trojan horse is executed, the malware will be installed onto the victim's computer. Trojan horse malware could possibly install backdoor malware, but the Trojan horse itself would not be the reason for these traffic patterns
Which of the following risk management strategies would include the purchase and installation of an NGFW? ❍ A. Transference ❍ B. Mitigation ❍ C. Acceptance ❍ D. Risk-avoidance
B. Mitigation Mitigation is a strategy that decreases the threat level. This is commonly done through the use of additional security systems and monitoring, such as an NGFW (Next-Generation Firewall). Side Note - Incorrect answer D. Risk-avoidance With risk-avoidance, the owner of the risk decides to stop participating in a high-risk activity. This effectively avoids the risky activity and prevents any future issues.
Which part of the PC startup process verifies the digital signature of the OS kernel? ❍ A. Measured Boot ❍ B. Trusted Boot ❍ C. Secure Boot ❍ D. POST
B. Trusted Boot The Trusted Boot portion of the startup process verifies the operating system kernel signature and starts the ELAM (Early Launch Anti-Malware) process. Side Note/Incorrect Answers A. Measured Boot occurs after the Trusted Boot process and verifies that nothing on the computer has been changed by malicious software or other processes. C. Secure Boot Secure Boot is a UEFI BIOS boot feature that checks the digital signature of the bootloader. The Trusted Boot process occurs after Secure Boot has completed.
A security team has been provided with a non-credentialed vulnerability scan report created by a third-party. Which of the following would they expect to see on this report? ❍ A. A summary of all files with invalid group assignments ❍ B. A list of all unpatched operating system files ❍ C. The version of web server software in use ❍ D. A list of local user accounts
C. The version of web server software in use A scanner like Nmap can query services and determine version numbers without any special rights or permissions, which makes it well suited for non-credentialed scans.
A company is deploying a new mobile application to all of its employees in the field. Some of the problems associated with this rollout include: • The company does not have a way to manage the mobile devices in the field • Company data on mobile devices in the field introduces additional risk • Team members have many different kinds of mobile devices Which of the following deployment models would address these concerns? ❍ A. Corporate-owned ❍ B. COPE ❍ C. VDI ❍ D. BYOD
C. VDI A VDI (Virtual Desktop Infrastructure) would allow the field teams to access their applications from many different types of devices without the requirement of a mobile device management or concern about corporate data on the devices
A security administrator has been asked to respond to a potential security breach of the company's databases, and they need to gather the most volatile data before powering down the database servers. In which order should they collect this information? ❍ A. CPU registers, temporary files, memory, remote monitoring data ❍ B. Memory, CPU registers, remote monitoring data, temporary files ❍ C. Memory, CPU registers, temporary files, remote monitoring data ❍ D. CPU registers, memory, temporary files, remote monitoring data
D. CPU registers, memory, temporary files, remote monitoring data The most volatile data disappears quickly, so data such as the CPU registers and information in memory will be lost before temporary files and remote monitoring data are no longer available. Side note - Memory is more volatile than temporary files.
A recent report shows the return of a vulnerability that was previously patched four months ago. After researching this issue, the security team has found that a recent patch has reintroduced this vulnerability on the servers. Which of the following should the security administrator implement to prevent this issue from occurring in the future? ❍ A. Templates ❍ B. Elasticity ❍ C. Master image ❍ D. Continuous monitoring
D. Continuous monitoring. It's common for organizations to continually monitor services for any changes or issues. A nightly vulnerability scan across important servers would identify issues like this one. Side Note - Incorrect Answers A. Templates Templates can be used to easily build the basic structure of an application instance. These templates are not used to identify or prevent the introduction of vulnerabilities C. Master image A master image is used to quickly copy a server for easy deployment. This image will need to be updated and maintained to prevent the issues associated with unexpected vulnerabilities.
Which of the following is true of a rainbow table? (Select TWO) ❍ A. The rainbow table is built in real-time during the attack ❍ B. Rainbow tables are the most effective online attack type ❍ C. Rainbow tables require significant CPU cycles at attack time ❍ D. Different tables are required for different hashing methods ❍ E. A rainbow table won't be useful if the passwords are salted
D. Different tables are required for different hashing methods, and E. A rainbow table won't be useful if the passwords are salted
A department store policy requires that a floor manager approves each transaction when a gift certificate is used for payment. The security team has found that some of these transactions have been processed without the approval of a manager. Which of the following would provide a separation of duties to enforce this store policy? ❍ A. Use a WAF to monitor all gift certificate transactions ❍ B. Disable all gift certificate transactions for cashiers ❍ C. Implement a discretionary access control policy ❍ D. Require an approval PIN for the cashier and a separate approval PIN for the manager
D. Require an approval PIN for the cashier and a separate approval PIN for the manager This separation of duties would be categorized as dual control, where two people must be present to perform the business function. In this example, the dual control is managed by using two separate PINs (Personal Identification Numbers) that would not be shared among individuals
A security analyst has identified a number of sessions from a single IP address with a TTL equal to zero. One of the sessions has a destination of the internet firewall, and a session immediately after has a destination of your DMZ server. Which of the following BEST describes this log information? ❍ A. Someone is performing a vulnerability scan against the firewall and DMZ server ❍ B. Users are performing DNS lookups ❍ C. A remote user is grabbing banners of the firewall and DMZ server ❍ D. Someone is performing a traceroute to the DMZ server
D. Someone is performing a traceroute to the DMZ server. A traceroute maps each hop by slowly incrementing the TTL (Time to Live) value during each request. When the TTL reaches zero, the receiving router drops the packet and sends an ICMP (Internet Control Message Protocol) TTL Exceeded message back to the original station.
When a home user connects to the corporate VPN, they are no longer able to print to their local network printer. Once the user disconnects from the VPN, the printer works normally. Which of the following would be the MOST likely reason for this issue? ❍ A. The VPN uses IPSec instead of SSL ❍ B. Printer traffic is filtered by the VPN client ❍ C. The VPN is stateful ❍ D. The VPN tunnel is configured for full tunnel
D. The VPN tunnel is configured for full tunnel. A split tunnel is a VPN (Virtual Private Network) configuration that only sends a portion of the traffic through the encrypted tunnel. A split tunnel would allow work-related traffic to securely traverse the VPN, and all other traffic would use the non-tunneled option. In this example, the printer traffic is being redirected through the VPN instead of the local home network because of the non-split/full tunnel. Side Note - Incorrect Answers B. Printer traffic is filtered by the VPN client VPN clients are usually tasked with sending traffic unfiltered through the encrypted tunnel. Although data could be filtered at some point along the communication path, it's not commonly filtered by the VPN client. C. The VPN is stateful A stateful communication is commonly associated with firewalls, and it refers to the firewall's ability to track traffic flows. Stateful communication would not be a technology commonly associated with a VPN, and it would not be part of the user's printing issue.
A security administrator needs to identify all references to a Javascript file in the HTML of a web page. Which of the following tools should be used to view the source of the web page and search through the file for a specific filename? (Select TWO) ❍ A. tail ❍ B. openssl ❍ C. scanless ❍ D. grep ❍ E. Nmap ❍ F. curl ❍ G. head
D. grep and F. curl The curl (Client URL) command will retrieve a web page and display it as HTML at the command line. The grep command can then be used to search through the file for a specific string of text.
What does dnsenum do?
Enumerate DNS finds hostnames and performs querries of those host names.
Full Tunnel VPN
Everything being sent by the remote user goes through the VPN concentrator which provides an encrypted tunnel.
What are exploitation frameworks?
Exploitation frameworks are frameworks used to test systems for vulnerabilities. Exploitation frameworks are often developed by a third party and can be modified by the company to add or take away certain tests. Metasploit and The Social-Engineer Toolkits are examples of exploitation frameworks.
Where can you find info of how to design and plan a pen test?
Info on how to design and plan a pen test can be found in the NIST Technical Guide to Information Security
What is ISO/IEC?
International level security frameworks.
Continuouse Deployment (CD)
Like continuouse delivery but the code is automatically deployed into production without you having to click the deploy button. No human interaction or manual checks are required after the code is written.
An IPS at your company has found a sharp increase in traffic from all-in-one printers. After researching, your security team has found a vulnerability associated with these devices that allows the device to be remotely controlled by a third-party. Which category would BEST describe these devices? ❍ A. IoT ❍ B. RTOS ❍ C. MFD ❍ D. SoC
Multifunction Device
What port does SMTP use? What is SMTP used for?
Simple Mail Transfer Protocol uses tcp/25. Used to send mail between mail servers and from clients to mail servers. Side note - Incoming traffic from a mail server to a device would likely use something like IMAP or POP3 which uses a different port.
Split Tunnel VPN
Split tunnel only uses the encrypted tunnel for traffic going to or from the VPN. If someone wants to access a separate network they may do so without using the encrypted tunnel.
You've hired a third-party to gather information about your company's servers and data. The third-party will not have direct access to your internal network but can gather information from any other source. Which of the following would BEST describe this approach? ❍ A. Backdoor testing ❍ B. Passive footprinting ❍ C. OS fingerprinting ❍ D. Partially known environment
Passive Footprinting
What needs to be determined before a pen test takes place? What 4 things are commonly included in this?
Rules of engagement need to be determine before a pen test takes place. Rules of engagement may include - IP address ranges - emergency contacts - how to handle sensitive info - in-scope and out-of-scope devices and apps
Boot Integrity Steps/chain of trust
Secure Boot - verifies the boot loader's signerature. Trusted boot - Boot loader verifies the signerature of the OS kernel and launches ELAM Measured Boot - Verifies that no changes have occured with the OS
Rodney, a security engineer, is viewing this record from the firewall logs: UTC 04/05/2018 03:09:15809 AV Gateway Alert 136.127.92.171 80 -> 10.16.10.14 60818 Gateway Anti-Virus Alert: XPACK.A_7854 (Trojan) blocked. Which of the following can be observed from this log information? ❍ A. The victim's IP address is 136.127.92.171 ❍ B. A download was blocked from a web server ❍ C. A botnet DDoS attack was blocked ❍ D. The Trojan was blocked, but the file was not
The Answer: B. A download was blocked from a web server. A traffic flow from a web server port number (80) to a device port (60818) indicates that this traffic flow originated on port 80 of the web server. A file download is one of the most common ways to deliver a Trojan, and this log entry shows that the file containing the XPACK.A_7854 Trojan was blocked.
Which of the following would be commonly provided by a CASB? (Select TWO) ❍ A. List of all internal Windows devices that have not installed the latest security patches ❍ B. List of applications in use ❍ C. Centralized log storage facility ❍ D. List of network outages for the previous month ❍ E. Verification of encrypted data transfers ❍ F. VPN connectivity for remote users
The Answer: B. A list of applications in use E. Verification of encrypted data transfers. A CASB (Cloud Access Security Broker) can be used to apply security policies to cloud-based implementations. Two common functions of a CASB are visibility into application use and data security policy use. Other common CASB functions are the verification of compliance with formal standards and the monitoring and identification of threats.
The embedded OS in a company's time clock appliance is configured to reset the file system and reboot when a file system error occurs. On one of the time clocks, this file system error occurs during the startup process and causes the system to constantly reboot. Which of the following BEST describes this issue? ❍ A. DLL injection ❍ B. Resource exhaustion ❍ C. Race condition ❍ D. Weak configuration
The Answer: C. Race condition A race condition occurs when two processes occur at similar times, usually with unexpected results. The file system problem is usually fixed before a reboot, but a reboot is occurring before the fix can be applied. This has created a race condition that results in constant reboots.
What does the Autopsy tool do?
The Autopsy tool performs digital forensics of hard drives. The Autopsy tool can extract downloaded files, browser history and cache, email messages, and databases from the drive.
What 4 things does the CSA cover?
The CSA covers - methodologies and tools - ways to assess your internal IT groups and cloud providers - info on how the security controls can be determined for a particular implementation - info on how to build a roadmap to continually improve the security of you cloud computing infrastructure.
What is CIS CSC? How many key actions are contained within the CIS CSC?
The Center for Internet Security Critical Security Controls for effective cyber defense is a security framework to help you improve the security posture of your network. The CIS CSC contains 20 key actions or critical security controls that are categorized for different organization sizes.
What security framework is used for cloud computing?
The Cloud Security Alliance (CSA) is the security framework used for cloud computing. Side notes The CSA covers methodologies and tools, ways to assess your internal IT groups and cloud providers, info on how the security controls can be determined for a particular implementation, and info on how to build a roadmap to continually improve the security of you cloud computing infrastructure.
Which of the following standards provides information on privacy and managing PII? ❍ A. ISO 31000 ❍ B. ISO 27002 ❍ C. ISO 27701 ❍ D. ISO 27001
The ISO (International Organization for Standardization) 27701 standard extends the ISO 27001 and 27002 standards to include detailed management of PII (Personally Identifiable Information) and data privacy.
What is ISO/IEC 27001?
The ISO 27001 standard is the foundational standard for properly maintaining Information Security Management Systems (ISMS).
ISO/IEC 3100
The ISO 31000 standard sets international standards for risk management practices.
What does the WinHex utility do?
The WinHex utility looks through the raw data representation of files from commands like tcpdump and memdump. Also provides disk cloning, and remote-wipe cababilities. Side note - Can also be used to erase things permantly from the hard drive.
Domain Hijacking
The attacker gains access to the domain registration and modifies the domain configuration of a domain name and thus gains control of the traffic flow.
What does the curl command do?
The curl (Client URL) command allows you to grab raw html data from websites and view it in the terminal screen.
What does the dd command do?
The dd command images or partions a drive.
What does the hping command do?
The hping command is a TCP/IP packet assembler/analyzer. hping provides port information and allows you to modify packet information such as IP, TCP, UDP, and ICMP. Running this command may cause a DoS. The --scan option brings back port information for specified port ranges and IP addresses.
What does the logger command do?
The logger command documents infomation in a log file or designates when a series of steps may be begininng or ending. Writes to syslog file.
What does the netstat command do?
The netstat commmand shows what IP addresses are connecting to your device or vice versa.
What does the nmap comand do?
The nmap command finds devices and identifies open ports. nmap also discovers the OS, shows the name, version, and other details of services running on a device. Side note - nmap can also run additional scripts from the NSE (nmap scripting engine) and is used for vulnerability tests.
What does the pathping command do?
The pathping command combines the tracecert and ping command.
What does the tcpdump command do?
The tcpdump command does the same thing as Wireshark but is run from the command line rather than a GUI.
What does traceroute (tracert) do?
The tracert command is used by Unix, Linux, and macOS to map the entire path a packet takes to reach a destination.