C842 - CyberDefense and CounterMeasures WGU Quizlet (EC Council CIH v2) by Brian MacFarlane

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

Which of the following type of risk is defined by the formula (threats x vulnerability)? A Residual risk B Qualitative risk C Inherent risk D Quantitative risk

C

Which one of the following CSIRT services include alerts and warnings, incident handling, vulnerability handling, and artifact handling activities? A Reactive Services B Proactive Services C Security Quality Management Services D Vulnerability Management Services

A

Which one of the following is a technical threat? A Incorrect data entry B Shoulder surfing C Sniffing and scanning of the network traffic D Password guessing

C

A business framework for IT governance and management toolset enabling managers to bridge the gap between control requirements, technical issues and business risks.

COBIT

Public Cloud - Open for Public Use Private Cloud - Single Organization Community Cloud - Several Orgs from specific community Hybrid - 2 or More clouds, like private and public combined

Cloud Models

Provides Cloud services

Cloud Provider

Cloud Passage Halo - is a cloud server security platform with all the security functions to safely deploy cloud servers, which we all know an incident handler needs to have in his tool box.😂

Cloud Security Tools

A person or organization who makes the services available to the customers.

Cloud Service Provider (CSP)

Loggly- offers cloud monitoring for analyzing system behavior and suspicious activities

Cloud-based Analysis Tools

Which of the following refers to the process of identifying, labeling, recording, and acquiring data from all possible sources? A Collection B Preservation C Examination D Analysis

A

Which of the following terms defines the purpose and scope of the planned incident handling and response capabilities? A IH&R mission B IH&R staffing C IH&R team models D IH&R vision

A

On-Demand Self-service Distributed storage Rapid elasticity automated management Broad Network Access Resource Pooling Measured Service Virtualization Technology

Clouds Provide

doskey /history

Command History

The person who is the first to arrive at the crime scene to assess the crime scene and alert the management and incidence response teams.

First Responder

Forensic Explorer - Recovers and Analyses hidden and system files, deleted files, slack space, unallocated space FTK Forensic Tool Kit Event Log Explorer

Forensic Analyse Tools

A process of imaging or collecting information from various media in accordance with certain standards for analyzing its forensic value.

Forensic Data Acquisition

A statement of allegations and conclusions drawn from the computer forensics investigation.

Forensic Investigation Report

A set of procedures describing the actions an organization must take to preserve and extract forensic evidence during an incident.

Forensic Policy

Which of the following policy controls the access to the facilities and computers? A Information Security Policy B Personnel Security Policy C Physical Security Policy D Evidence Collection Policy

C

An organization's ability to make optimal use of digital evidence in a limited period of time and with minimal investigation costs.

Forensic Readiness

A set of processes required to achieve and maintain forensic readiness.

Forensic Readiness Planning

The expenditures that the organization cannot calculate directly or value accurately.

Intangible Costs

Alerts, warnings, reports, complaints, and issues that represent an ongoing or completed security attack on an organization or its resources.

Signs of An Incident

Alerts of data ex-filtration missing or modified network logs changes in network patterns multiple failed logon attempts behavioral and temporal changes unusual time and location access missing or modified critical data unauthorized download of sensitive data

Signs of an Insider

Which of the following risk mitigation strategy make an organization absorb minor risks while preparing to respond to major ones? A Risk avoidance B Risk limitation C Risk assumption D Risk planning

C

Which of the following sources of evidence helps an incident responder to collect information that guides him or her in building the timeline of attack? A financial services B job services C social networks D online location tracking

C

Which of the following statement defines a risk policy? A Estimating the damage caused due to occurrence of a disaster B Finding the level of the risk C Set of ideas implemented to overcome risks D Defined probability of the occurrence of an incident

C

Which of the following terms is considered as a process of scanning an IP range to detect live hosts? A port scanning B social engineering C ping sweeping D DNS footprinting

C

Which of the following terms refers to a legal document that demonstrates the progression of evidence as it travels from the original evidence location to the forensic laboratory? A forensic policy B promiscuous policy C chain of custody D forensic readiness plan

C

The unsolicited or undesired emails used to distribute malicious links and attachments, cause network congestion, perform phishing and financial frauds, and so on.

Spam

A black box testing method. It is a quality checking and assurance technique used to identify coding errors and security loopholes in web applications.

Web Application Fuzz testing

Software programs that run on web browsers and act as the interface between users and web servers through web pages.

Web Applications

Refers to how much the digital evidence changes the probability of the fact.

Weight of the Digital Evidence

Which of the following terms refers to an art of manipulating people to divulge sensitive information to perform some malicious action? A pod slurping B tailgating C social engineering D privilege escalation

C

A security event that happens due to accidental or intentional activities in a wireless network.

Wireless Network Security Incident

Which of the following is the practice of identifying the infected systems by looking for evidence of the recent infections? A Forensic identification B Active identification C UManual identification D Passive identification

A

Bitdefender ClamWin Kapersky McAfee Total Protection Norton AV Avast ESET AVG Avira

AntiVirus Tools

BCwipe Total Wiperout Active@killdisk Cyberscrub Shredit Secure Erase

Antiforensics using Artifact Wiping Tools

Gophish SPAMfighter

Antiphishing Tools

Which of the following cloud security incidents deal with suspicious IP addresses, MAC addresses, user accounts, systems, applications, services, and other attack vectors? A network related incidents B servers related incidents C virtualization related incidents D storage related incidents

A

Which of the following determines the level of risk and the resulting security requirements for each system? A Risk assessment B Contingency planning C Risk mitigation D Residual risk

A

Which of the following forensic readiness procedures helps an incident responder in gathering useful information about the system behavior through file integrity monitoring? A host monitoring B risk assessment C network monitoring D evidence assessment

A

SolarWinds ArcSight ESM Splunk Enterprise LogRhythm NextGen

Insider Threat Prevention Tools SIEM Tools

Which of the following incident refers to a user performing actions that violate the acceptable computing use policies? A Inappropriate usage incident B Unauthorized access incident C Multiple Component incident D Distributed Denial-of-Service (DDoS) incident

A

Which of the following is a set of specific strategies, guidelines, and processes to recover from an incident resulting due to a problem or emergency? A Contingency plan B Incident recovery testing C Business impact analysis D Temporary plan analysis

A

Which of the following is an indication of unauthorized usage of the standard user account? A Usage of secret account B Alert of network and host IDS C Misplaced hardware parts D Increase in the usage of resource

A

An act of tricking people to reveal sensitive information is involved in which type of Reconnaissance technique? A social engineering B port scanning C DNS footprinting D ping sweeping

A

Carl is trying to violate the acceptable use of a network and computer use policy. Under which category of the incident handling criteria does this scenario fall? A CAT 4 B CAT 2 C CAT 1 D CAT 3

A

Flora is an incident handler at an organization that is implementing forensic readiness procedures to handle evolving cyber threats. As part of this process, she decided to use an advanced authentication protocol to secure the organizational network resources. Which of the following protocols must Flora employ? A Kerberos/IPSec B ICMP/UDP C TCP/IP D FTP/HTTP

A

From the following, identify the Wireshark filter that is used to view the packets moving without a flag set while performing the Null scan attempts. A TCP.flags==0x000 B tcp.flags==0X029 C tcp.dstport==25 D tcp.dstport==7

A

HDBC's online banking website was knocked offline, and its customers were unable to login, and make online transactions. After few hours the bank authorities identified that some attacker had kept their server busy by establishing simultaneous login sessions which restricted their customer from logging into the bank website. Identify the attack that the invader has used to draw the bank server offline. A DoS attack B Session Hijacking C Man-in-the-Middle D Cross-Site-Scripting

A

Which of the following is defined as the existence of a weakness in the design or implementation error that can lead to an unexpected, undesirable event compromising the security of the system? A Vulnerability B Patch C Attack D Accident

A

Hexagon, a leading IT company in the USA, have received a lot of malformed TCP/IP packets, which lead the main server's operating system to crash and thereby restricted the employees from accessing their resources. Which attack did the adversary use in the above situation? A DoS attack B Session Hijacking C Man-in-the-Middle D Cross-Site-Scripting

A

How will you define Qualitative risk analysis? A (Attack Success + Criticality) - (Countermeasures) B (Countermeasures) + (Criticality - Attack Success) C (Attack Success + Countermeasures) - (Criticality) D (Attack Success) + (Criticality - Countermeasures)

A

How will you define quantitative risk analysis? A Probability of loss X value of loss B Value of loss/ Probability of loss C Probability of loss + value of loss D Probability of loss - value of loss

A

Identify the character set that is used for replacing the suspicious characters to bypass the filtering mechanism in a path traversal attack. A ../ B / C > D \..

A

Identify the information security element that determines trustworthiness of data or resources in terms of preventing improper and unauthorized changes. A integrity B availability C authenticity D non-repudiation

A

Identify the security policy that doesn't keep any restrictions on the usage of system resources. A promiscuous policy B prudent policy C paranoid policy D permissive policy

A

Identify the type of DoS/DDoS incident in which the magnitude of attack is measured in bits per second (bps). A volumetric attack B transport layer attack C protocol attack D application layer attack

A

Identify the type of DoS/DDoS incident in which the magnitude of attack is measured in packets per second (pps). A protocol attack B volumetric attack C transport layer attack D application layer attack

A

In memory dump analysis, which of the following tools is used for disassembling and debugging malware? A IDA Pro B FLOSS C Hakiri D ASPack

A

Riya got the following email: Dear user, Due to an unexpected software glitch, we have lost all our customer details and left with only email IDs. In order to continue our services, we request you provide your username and password in the below fields and revert back. If not, your balance amount will be lost and account will be deleted permanently. Username: _____________ Password: ______________ Click reply and send. Note: Please Forward this mail to all the HDBC users you know. Sorry for the inconvenience. Thank you for your cooperation HDBC Bank Admin Copyright © 2017 Service Providers administrator All rights reserved. On seeing the message, Riya got startled and immediately responded the sender with her username and password. Later she came to know that her account has been hacked. Which trick did the attacker use to trap Riya? A Attacker used phishing B Attacker used sniffing technique C Attacker used Pharming technique D Attacker used keylogger technique

A

Rob, an incident manager, was informed about an incident where a suspicious application was found residing in the active memory of multiple systems on a network. Upon investigation, he found that the application was self-replicating and degrading the systems' performance, but it did not affect the files in those systems. What is your inference from the above scenario? A The application is a Worm B The application is a Virus C The application is a Trojan D The application is a Backdoor

A

Smith is a forensic expert in a reputed organization based in New York. As a part of his task, he sniffed the data packets that are trying to communicate with the server of the organization, he recorded and then analyzed the event logs. Which type of the forensic analysis did Smith perform? A Network Forensics B Data Forensics C Internet Forensics D Source-code forensics

A

Smith is managing a web server that runs a PHP-based web service. He was escalated an incident where users were not able to access the service. During the investigation, he discovered that the web server is live and there is no alert from the anti-malware system. However, in the Task Manager, he discovered a large number of php-cgi processes that were consuming up to ninety-nine percent of the CPU. What can Smith infer from the above observation? A It indicates a DoS attack B It indicates an unauthorized access attack C It indicates a Trojan attack D It indicates a php-cgi injection attack

A

The scenario where the detection software either does not record the malicious event or ignores the important details about the event is referred to as ________. A insufficient logging and monitoring B cross-site scripting (XSS) attacks C using components with known vulnerabilities D insecure deserialization

A

What does the Neutral result on the Domain Keys Identified Mail (DKIM) protocol indicate? A The email is signed, but the signature has syntax errors, so it cannot be processed. B The email is signed and the signature passes the verification tests. C The email is signed and the signature does not pass the verification tests. D The email is signed, and some part of signature is not acceptable by administrative management domains (ADMD).

A

What is a residual risk? A Risk remaining after implementation of all the possible controls B Risk caused due to a threat exercising vulnerability C Risk resolved with the implementation of possible controls D Risk within the acceptable level of threshold

A

Which among the following malware pretends to be a program that offers useful applications, but acquires the information of the computer and sends it to a remote attacker? A Spyware B Worm C Virus D Rootkit

A

Which category of unauthorized access is associated with changes in system status? A Physical Intruder B Unauthorized Data Access C Unauthorized Usage of Standard User Account D Unauthorized Data Modification

A

Which of the following Wireshark filters is used to view the packets with FIN, PSH, and URG TCP flags set for detecting Xmas scan attempts? A tcp.flags==0X029 B tcp.dstport==7 C TCP.flags==0x000 D tcp.dstport==25

A

Which of the following activities identifies the effects of uncontrolled and non-specific events in the business process? A Business impact analysis B Support plan analysis C Temporary plan analysis D Threat Analysis

A

Which of the following phishing attacks is also known as "phishing without a lure"? A spimming B spear phishing C pharming D whaling

C

Which one of the following is an appropriate flow of steps in computer forensics process? A Preparation -> Collection -> Examination -> Analysis -> Reporting B Examination -> Analysis -> Preparation -> Collection -> Reporting C Analysis -> Preparation -> Collection -> Reporting -> Examination D Preparation -> Analysis -> Collection -> Examination -> Reporting

A

Which one of the following is an appropriate flow of the incident recovery steps? A System restoration -> System validation -> System operations -> System monitoring B System operations -> System restoration -> System validation -> System monitoring C System validation -> System operations -> System monitoring -> System restoration D System operations -> System validation -> System monitoring -> System restoration

A

Which one of the following is the correct flow of the stages in an incident response? A Preparation -> Identification -> Containment -> Eradication -> Recovery -> Follow-up B Identification -> Preparation -> Containment -> Recovery -> Follow-up -> Eradication C Containment -> Identification -> Preparation -> Recovery -> Follow-up -> Eradication D Eradication -> Containment -> Identification -> Preparation -> Recovery -> Follow-up

A

Which one of the following malware takes advantage of file or information transport features on the system to propagate across systems and networks without any human interactions? A Worms B Virus C Trojan D Spyware

A

Which one of the following personnel in incident response team focuses on the incident and handles it from management and technical point of view? A Incident Manager (IM) B Incident Coordinator (IC) C Incident Analyst (IA) D Technical Expert

A

A person or organization that maintains a business relationship with cloud service providers and uses cloud computing services.

Cloud Consumer

someone that uses cloud computing services

Cloud Consumer

DNS Query Sniffer DNS Stuff DNS Lookup Tool Sonar

DNS Monitoring Tools

Anti DDoS Guardian D-Guard Anti-DDoS Firewall Incapsula

DoS/DDoS Protection Tools

A type of preservation that is an integral part of evidence gathering process.

Evidence Handling

API Monitor API Metrics Runscope AlertSite

API Calls Monitoring Tools

Defined as taking away a person by persuasion, fraud, or open force or violence.

Abduction

Refers to how a web application grants access to create, update, and delete any record/content or functions to some privileged users and restrict other users.

Access Control

Solarwinds server and application Manager Adaxes ADManager ADAudit Anturis

Active Directory Tools

An attack that focuses on stealing information from the victim machine without its user being aware of it.

Advanced Persistent Threat (APT)

A type of attack that is generated by malicious programs such as viruses, Trojan horse, worms, etc.

Malicious Code Attack

Golden Ticket- Manipulate Kerberos Data file Deletion Password protected Steganography Program Packer Virtual Machines Data Hiding in File System Structures Trail obfuscation Overwriting data in the meta-data Encryption

Anti Forensic Techniques

Also known as counter forensics, is a set of techniques that attackers or perpetrators use to avert or sidetrack the forensic investigation process or try to make it much harder.

Anti-Forensics

measured in request per second

Application Layer Attacks

Refers to the process of deleting or destroying the evidence files permanently using various tools and techniques, such as disk-cleaning utilities file-wiping utilities and disk degaussing/destruction techniques.

Artifact Wiping

Refers to the characteristic of a communication, document, or any data that ensures the quality of being genuine or uncorrupted.

Authenticity

The assurance that the systems responsible for delivering, storing, and processing information are accessible when required by authorized users.

Availability

attacks aimed at obstructing the delivery of wireless services to legitimate users, either by crippling those resources or by denying them access to WLAN resources

Availability Attacks

Among the following causes of an insider attack, identify the one where a competitor may approach and lure employees to corrupt the organization's data in return for huge amounts of money. A hacktivism B corporate espionage C financial gain D work-related grievance

B

Identify the email crime in which a flurry of junk mail is sent by accident without human intervention. A mail bombing B mail storming C identity theft D malware distribution

B

In the cloud deployment models, which of the following is the composition of two or more clouds that remain as unique entities but are bound together, offering the benefits of multiple deployment models? A community cloud B hybrid cloud C private cloud D public cloud

B

In which attack does an attacker(s) infect multiple systems called zombies, and them to attack a particular target? A Denial of Service B Distributed denial of service C Identity Spoofing D Man-in-the-Middle

B

John, a security professional working for Xdoc Corporation, is implementing a security strategy that uses multilayered protection throughout an information system to help minimize any adverse impact from attacks on organizational assets. Identify the security strategy John has implemented. A covert channel B defense-in-depth C likelihood analysis D three-way handshake

B

Roy is a software employee working in a Nexawave, a leading IT firm. One day he has downloaded few files from the internet and referred them for his current project. While developing the project document, Roy observed that his word application is crashing uninterruptedly. What could be the reason for the above situation? A Roy's system has infected by boot-record infectors B Roy's system has infected by Macro virus C Roy's system has infected by Micro virus D Roy's system has infected through phishing

B

What is the purpose of proactive services offered by a CERT? A To find the cost of fixing a problem B To develop the infrastructure and security processes C To provide services to the constituency D None of the above

B

Which among the following incidents refer to a person gaining access to system and network resources which he/she was not authorized to have? A Handling Inappropriate Usage Incidents B Unauthorized Access Incident C Handling Multiple Component Incidents D Authorized Access Incident

B

Which of the following Wireshark filters is used to locate duplicate IP address traffic? A arp.duplicate-traffic-detected B arp.duplicate-address-detected C tcp.duplicate-traffic-detected D tcp.duplicate-address-detected

B

Which of the following cloud computing threats refers to the ignorance of the CSP's cloud environment and poses risks in operational responsibilities such as security, encryption, and architectural issues? A unsynchronized system clocks B insufficient due diligence C abuse and nefarious use of cloud services D data breach/loss

B

Which of the following commands helps in finding the manipulated system functions while performing memory dump analysis using Volatility Framework? A threads B apihooks C idt D filescan

B

Which of the following elements of an email header shows a detailed log of a message's history, such as the origin of an email and information on forgeries? A Subject B Received C X-Mailer D Message-Id

B

Which of the following incident response action focuses on limiting the scope and extent of an incident? A Identification B Containment C Eradication D Formulating a response strategy

B

Which of the following information security elements ensures that the information is accessible only to those who are authorized to have access? A authenticity B confidentiality C integrity D availability

B

Which of the following is NOT a static malware analysis technique? A file fingerprinting B windows services monitoring C malware disassembly D local and online malware scanning

B

Which of the following is an advantage of the Platform-as-a-Service (PaaS)? A data privacy B prebuilt business functionality C vendor lock-in D integration with the rest of the system applications

B

Which of the following phases of the computer forensics investigation process involves acquisition, preservation, and analysis of evidentiary data to identify the source of a crime and the culprit behind it? A pre-investigation phase B investigation phase C vulnerability assessment phase D post-investigation phase

B

Which of the following strategy focuses on minimizing the probability of risks and losses by searching vulnerabilities in the system and appropriate controls? A Risk planning B Research and acknowledgment C Risk avoidance D Risk limitation

B

Which of the following techniques do you implement to respond to an insider attack? A Place all the users in quarantine network B Place malicious users in quarantine network C Allow malicious users to access sensitive information D Leave the insider's computer open in the network

B

Which of the following terms refers to an organization's ability to make optimal use of digital evidence in a limited period of time and with minimal investigation costs? A expert testimony B forensic readiness C data acquisition D first response

B

Huge network of compromised systems used by attackers to perform denial-of-service attacks.

Botnet

Which of the following malware detection techniques is employed in intrusion analysis to identify the transfer of any unwanted traffic to malicious or unknown external entities? A covert malware beaconing B SSDT patching C covert C&C communication D kernel filter drivers

C

Wireshark Colasoft Network Analyser OmniPeek Observer PRTG Network Monitor Netflow Analyzer

Browser Activity Monitoring Tools

Amber, a networking student, is trying to write a regex for the detection of logs that contain traces of a directory traversal attack involving characters '../'. Which of the following characters should she use to specify the hex equivalent for backward slash? A \%3E B \%2E C \%5C D \%2F

C

Chris is a forensic expert and was hired by a major financial company to use his services in the incidents and crimes that involve the use of computers. Being a forensic expert, he has to perform many duties day-to-day. Choose the duties that Chris has to perform being a forensic expert from the list below: I. The reason for the incident that was happened II. Determine the nature of the system by analyzing it III. Establishing the secure network measures to avoid the incident from happening IV. Preserver, analyze and submit in the court A I, II, and III B II, III, and IV C I, II, and IV D I, II, III, and IV

C

From the following, identify the character that specifies the hex equivalent of O character in a regular expression. A \%3C B \%42 C \%4F D \%62

C

Identify an insider attack where a person surreptitiously overhears confidential conversations at boardrooms, meeting halls, and corridors. A impersonation B pod slurping C eavesdropping D shoulder surfing

C

Identify the phishing attack in which an attacker imitates the email writing style and other content to make his or her activities seem legitimate. A pharming B puddle phishing C CEO scam D spimming

C

In eradicating malware incidents, what is the name of the method used to block the harmful URLs, IP addresses, and email IDs that have acted as a source for spreading malware? A manual scan B fixing devices C blacklist D updating the malware database

C

In the DoS containment strategy, at what point you will ask your ISP to implement filtering? A After correcting the vulnerability or weakness that is being exploited B After relocating the affected target C After determining the method of attack D After identifying the attackers

C

What does \%27 indicate in the following regular expression? /((\%27)|(\'))union/ix A hex equivalent of hash character B hex equivalent of r character C hex equivalent of single-quote character D hex equivalent of O character

C

Which among the following is a process of rebuilding and restoring the computer systems affected by an incident to the normal operational stage? A Incident reporting B Incident handling C Incident recovery D Incident preparation

C

Which of the following activity involves all the processes, logistics, communications, coordination, and planning to respond and overcome an incident efficiently? A Incident recovery B Incident recovery C Incident Handling D Incident reporting

C

Which of the following characteristics of cloud computing is employed by the cloud systems and works on a "pay-per-use" metering method? A on-demand self-service B rapid elasticity C measured service D resource pooling

C

Which of the following document contains logs, records, documents, and any other information that is found on a system? A Incident preparation report B Incident response report C Host-based evidence report D Network-based evidence report

C

Which of the following is NOT an indicator of cloud security incidents? A creation of new accounts or duplication of the existing ones B inability to log into the account C authorized privilege escalation D increase/decrease of used cloud space

C

Which of the following is a methodology to create and validate a plan for maintaining continuous business operations before, during, and after incidents and disruptive events? A Incident response plan B Incident recovery plan C Business continuity planning D Business impact analysis

C

Which of the following is a process that ensures systems and major applications adhere to formal and established security requirements that are well documented and authorized? A Penetration testing B Computer forensics C Certification and Accreditation (C&A) D Incident handling

C

These controls are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks.

Center for Internet Security (CIS) Controls

A legal document that demonstrates the progression of evidence as it travels from the original evidence location to the forensic laboratory.

Chain of Custody

What are these a criteria of? Admissible Authentic Complete Reliable Believable

Characteristics of Digital Evidence

Tasklist or WMIC PSLogged on Net Sessions LogonSessions

Check Active logon Sessions

The offense of wrongfully removing or wrongfully retaining, detaining, or concealing a child or baby.

Child Abduction

A criminal offense where a child or a minor is depicted of engaging in a sexually explicit conduct such as photographs, film, video, pictures, or computer-generated images or pictures, whether made or produced by electronic, mechanical, or other means.

Child Pornography

A temporary storage area, where the system stores data during copy and paste operations.

Clipboard

Service Hijacking using social engineering service hijacking using network sniffing session hijacking using xss attack session hi jacking using session riding DNS attacks Side Channel Attacks SQL Inj attacks Cryptanalysis and Wrapping Attacks DoS and DDoS attacks Man in the middle

Cloud Attacks

A party that performs an independent examination of cloud service controls with the intent of expressing an opinion thereon.

Cloud Auditor

Independent assessments of cloud service controls

Cloud Auditor

Manages cloud services

Cloud Broker

Connectivity and Transport

Cloud Carrier

An on-demand delivery of IT capabilities in which IT infrastructure and applications are provided to subscribers as a metered service over a network.

Cloud Computing

An on-demand delivery of IT capabilities that provides IT infrastructure and applications to subscribers as metered services over networks.

Cloud Computing

A set of methodological procedures and techniques that help identify, gather, preserve, extract, interpret, document, and present evidence from computing equipment, whereby any evidence discovered is acceptable during a legal and/or administrative proceeding.

Computer Forensics

A group of computers connected to each other for easy sharing of information and resources.

Computer Network

The assurance that the information is accessible only to those who are authorized to have access.

Confidentiality

The essential settings that help the websites and applications with the hardware and software components to produce required output.

Configuration

A crucial step in the incident management process that focuses on preventing additional damage.

Containment

Cloud Passage Quarantine - containerized application that monitors endpoint looking for specific events.

Containment Tools for Cloud Security Incidents

Proxy Switcher Proxy Workbench CyberGhost VPN Tor

Containment Tools: Web Proxy Tools

Isolate the affected systems Disable the affected service Eliminate the attacker's route into the network Disable the user accounts used in account

Containment of Unauthorized Access Incidents

The process of analyzing various security controls implemented by the organization to eradicate or minimize the probability of threat source exploiting a system vulnerability.

Control Analysis

An employee, who pretends to be a nice person and performs malicious activities secretively.

Corporate Mole

Also known as a one-click attack, occurs when a hacker instructs a user's web browser to send a request to the vulnerable website through a malicious web page.

Cross-site request forgery (CSRF) Attack

Refers to a contract between the organization and an insurer to protect related individuals from different threats and risks.

Cyber Insurance

Internet law refers to any laws that deal with protecting the Internet and other online communication technologies.

Cyber Law

Individuals with a wide range of skills, motivated by religious or political beliefs to create fear of large-scale disruption of computer networks.

Cyber Terrorists

A crime where attackers harass an individual, a group, or an organization using emails or IMs (instant messengers).

Cyberstalking

According to the NIST cloud deployment reference architecture, which of the following acts as an intermediary for providing connectivity and transport services between cloud consumers and providers? A cloud auditor B cloud provider C cloud broker D cloud carrier

D

An incident handler working in XYZ organization was assigned a task of detecting insider threats using behavioral analysis. Which of the following steps should be preformed first in the behavioral analysis? A Compare behaviors across multiple users. B Build profiles of each group. C Discover outliers in each group. D Extract behavioral patterns.

D

From the following scenarios, identify the scenario that indicates "insufficient transport layer protection" under security misconfiguration vulnerability: A Input from a client is not validated before being processed by web applications and backend servers. B Manipulation of parameters exchanged between client and server to modify application data. C Giving insight into source code such as logic flaws and default accounts. D Supporting weak algorithms and using expired or invalid certificates, which exposes a user's data to untrusted third parties and can lead to account theft.

D

Identify the metric that is used to measure the magnitude of application layer attacks. A bits per second (bps) B packets per second (pps) C cycles per second (cps) D requests per second (rps)

D

Identify the reasons that make the organizations not report computer crimes to law enforcement. I. Fear of negative publicity II. Lack of awareness of the attack III. Capability to handle incidents internally IV. Potential loss of customers A I, II, II and IV B I and II C I, II, and III D I, II, and IV

D

In live system analysis, which of the following tools is used to monitor the scheduled tasks? A Runscope B AlertSite C Sonar D CronitorCLI

D

In which Risk Assessment Methodology step do you identify the boundaries of the IT system and characterize it, in order to establish the scope of the risk assessment effort.? A Threats Identification B Threat Characterization C System Identification D System Characterization

D

In which of the following stages of incident handling does classification and prioritization of incidents take place? A incident recording and assignment B incident containment C post-incident activities D incident triage

D

Incident reporting and assessment, assigning event identity and severity level, assigning incident task force members are part of which phase of incident response? A Incident Classification B Containment C Data collection D Identification

D

James, an incident responder at Trinity Inc., is investigating a cybercrime. In the process, he collected the evidence data from the victim systems and started analyzing the collected data. Identify the computer forensics investigation phase James is currently in. A risk assessment phase B post-investigation phase C pre-investigation phase D investigation phase

D

Jason is an incident handler at The Rolls Inc. One day his organization encounters a massive cyberattack, and he identifies a virus called "XYZ@ZYX" spreading among the computers in the network (AKA, a level CAT 3 attack). He has started investigating the issue; however, as an incident handler, within how much time from detection of such malicious code attacks should he report to the authorities? A one week B one fortnight C three hours D one hour

D

John is an incident response manager at XYZ Inc. As a part of IH&R policy of his organization, he signed a contract between the organization and a third-party insurer to protect organization individuals from different threats and risks. What is the contract signed by John called? A escrow agreement B disclosure agreement C ROE agreement D cyber insurance

D

What can be the result of Sender Policy Framework (SPF) protocol when the SPF record cannot be verified due to syntax or format errors in the record? A TempError B Neutral C Pass D PermError

D

What does the character 'x' indicate in the following regular expression? /(\')|(\%27)|(\-\-)|(#)|(\%23)/ix A and B or C case-insensitive D Ignore white spaces in the pattern.

D

Which among the following steps do you implement as a part of DoS attack prevention? A Disable Intrusion Detection Systems B Enable Remote Desktop Connection C Install and run packet sniffer on the workstation D Block traffic from unassigned IP address ranges

D

Which of the following activities is performed by an incident handler during the pre-investigation phase of computer forensics? A search and seizure B evidence assessment C data acquisition D risk assessment

D

Which of the following backup strategies provides daily status of the backup situation, such as successful, unsuccessful, not run, out of space, etc.? A security B guarantee C data availability D notifications

D

Which of the following is a preparation step for a cloud service provider (CSP)? A Clearly mention privileges of employees accessing the cloud. B Mention the critical services and application that need most attention to the CSP in order to have a priority list for containment and recovery. C Audit and prepare a list of all the systems and accounts that have access to the cloud. D Install database activity monitoring (DAM), data leak prevention (DLP), log analysis, and SIEM tools to simplify detection of incidents.

D

Which of the following is defined as an organized approach to address and manage the aftermath of a security breach or attack? A Threat B Risk assessment C Vulnerability assessment D Incident response

D

Which of the following malware components is a program that conceals its code and intended purpose via various techniques, making it hard for security mechanisms to detect or remove it? A injector B exploit C packer D obfuscator

D

Which of the following malware distribution techniques involves exploiting flaws in browser software to install malware just by visiting a webpage? A spear-phishing sites B social engineered click-jacking C compromised legitimate websites D drive-by downloads

D

Which of the following phishing attacks exploits instant-messaging platforms to flood spam across the networks? A puddle phishing B CEO scam C pharming D spimming

D

Which of the following phishing attacks targets high-profile executives, like CEOs, CFOs, politicians, and celebrities, who have complete access to confidential and highly valuable information? A spear phishing B spimming C pharming D whaling

D

Which of the following terms reflects an organization's mid-term and long-term goals for incident management capabilities? A IH&R team models B IH&R mission C IH&R staffing D IH&R vision

D

Which one of the following is the intangible cost for an incident? A Lost productivity hours B Investigation and recovery efforts C Loss of business D Loss of reputation

D

Spoofed attack

DRDos Distributed Reflection Denial of Service

FTK Imager R-Drive Image EnCase Forensic Data Acquisition Toolbox RAID Recovery for Windows R-Tools R-Studio F. Response Imager

Data Imaging Tools

A small network placed between the organization's private network and an outside public network.

De-Militarized Zone (DMZ)

A security strategy in which several protection layers are placed throughout an information system.

Defense-in-depth

Cat 0 - Exercise/Network Defense Testing Cat 1 - Unauthorized Access Cat 2 - Denial-of-Service Cat 3 - Malicious Code Cat 4 - Inappropriate Usage Cat 5 - Scans/Probes/Attempts to Access Cat 6 - Investigation

Define Incident Handling Critiea

An attack on a computer or network that reduces, restricts, or prevents accessibility of system resources to its legitimate users.

Denial-of-Service (DoS) Attack

The minimum Security requirements cover 17 security related areas.

FIPS 200

View Windows Security Logs for failed logon attempts

Detecting Brute Force

snort to detect malicious traffic

Detecting Firewall and IDS Evasion

Find URL, uploads, Downloads, emails.

Detecting Insider from Browser Data

Use Nuix Adaptive Security Tool to search for suspicious downloads

Detecting Insider from Data Exfiltration

Malicious Telnet Connections using Wireshark and filter for Telnet look for passwords or admin privileges.

Detecting Insider from Network Analysis

Autopsy Balbuzard Cryptam Malware Document Detection Suite

Detecting Insider from System analysis Tools

icmp.type==8 or icmp.type==0 tcp.dstport==7 to detect TCP ping sweep udp.dstport==7 to detect UDP ping sweep

Detecting Ping Sweep with WireShark

Mole Detection - leaking sensitive information Profiling- establish a pattern of normality

Detecting an Insider

Network Logs Server Logs Database Logs correlate them using SIEM tool

Detecting an Insider Log Analysis

Windows Registry Key MAC Os System info usb Linux usb-devices command

Detecting insider from Removable Media Store

Defined as "any information of probative value that is either stored or transmitted in a digital form" and helps incident responders/investigators find the perpetrator.

Digital Evidence

OllyDbg IDA Pro WinDbg ProcDump KD CDB NTSD

Disassembly Tools for Malware Analysis

A process by which a magnetic field is applied to a digital media device, resulting in a entirely clean device of any previously stored data.

Disk Degaussing

A large-scale, coordinated attack on the availability of services on a victim's system or network resources, launched indirectly through many compromised computers (botnets) on the internet.

Distributed Denial-of-Service (DDoS) Attack

Also known as a "spoofed" attack, involves the use of multiple intermediary and secondary machines that contribute to the actual DDoS attack against the target machine or application.

Distributed Reflection Denial-of-Service (DRDoS) Attack

The process of writing all the actions the investigators have performed during the investigation to obtain the desired results.

Documenting

arin.net internic.net freeality.com

Domain Names Tools

HOIC High Orbit Cannon LOIC Low Orbit Cannon Hulk Metasploit

Dos/DDOS attack tools

msinfo32 Driver Viewer Driver Booster Driver Reviewer Driver Easy Driver Fusion Driver Genius Unknown Device Driver Magician Driver hive Installed Driver List My Driver Driver Agent Plus Driver Pack

Driver Monitor Tools

Port Scanning Firewalking Banner Grabbing IP Address Spoofing Source Routing Tiny Fragments Using IP Address in place of URL

Firewall Evasion Techniques

Refers to ability of a single cloud to handle data, accounts, systems and applications of various organizations.

Elasticity

The process of repeatedly sending an email message to a particular address at a specific victim's site.

Email Bombing

MXtool box E-Mail header analyzer message header analyzer IPtrackeronline.com GsuiteToolBox

Email Header Analsys Tools

Refers to the details of the source used to send the email.

Email Origin

Gpg4win - helps with encryption and digital signatures

Email Security Tools

Email Dosier Email Address Verifier Emailvalidator Email Checker G-Lock Software

Email Validity Tools

The process of translating the data into a secret code so that only the authorized personnel can access it.

Encryption

Involves stealing proprietary information of any organization and passing the same to other organizations with the motive of negatively impacting its reputation or for some financial benefit.

Espionage

manageengine.com

Event Log Analyzer Tool

The process of relating the obtained evidential data to the incident for understanding how the complete incident took place.

Evidence Assessment

Date and time of seizure who seized evidence exhibition number where was it seized from details of the contents submitting agent

Evidence Bag

HashTab HashCalc MD5 Deep MD5Sums Tools4Noobs Cryptomathic Hashmyfiles

File Hashing Tools

TripWire Netwrix Auditor Sigverif Verisys PA file sight CSP File Integrity Checker NNT Change Tracker AFlck Fsum OSSEC IgorWare

File and Folder Monitoring Tools

OS Forensics - Helps discover relevant forensic data faster with high performance Helix3- cyber security solution integrated into the network - reveals internet abuse, data sharing and harassement Autopsy- Digital forensic platform and graphical interface to the sleuth kit EnCase Forensic- Multi purpose forensic platform includes support for many devices Foremost- Console program to recover files based on their headers, footers, and internal data structures

Forensic Tools

Happens when hackers break into government or corporate computer systems as an act of protest.

Hacktivism

Individuals who promote a political agenda by hacking, especially by defacing or disabling websites.

Hacktivists

Hash Calc MD5 Calculator Hash My Files

Hash Tools

A computer system on the internet intended to attract and trap people who attempt unauthorized or illicit utilization of the host system.

Honeypot

Information security Standard developed by International organization for Standardization provides a global framework

ISO 27000

Specifies the requirements for establishing, implementing continually improving information security.

ISO 27001:2013

Guidelines for Info Security Standards

ISO 27002

Presents basic concepts and phases of information security incident management.

ISO 27035

Dependency Walker Snyk Hakiri RetireJS

Identifying File Dependencies Tools

PEiD UPX ExeInfo AsPack

Identifying Packet obfuscation Techniques Tools

PE Explorer PE Scan Resource Hacker PEview

Identifying Portable Executables Tools

Involves estimating the adverse impact caused due to the exploitation of the vulnerability by the threat source.

Impact Analysis

Symantec Data Loss Secure Trust Data Loss McAfee Total Protection Check Point Digital Guardian

Insider Threat Detection Tools DLP

The incidents in which a user violates the acceptable computing use policies.

Inappropriate Usage

Kiwi Log Viewer

Inappropriate Usage Incidents Accessing Malware

1. Preparation 2. Incident Recording 3. Incident Triage 4. Notification 5. Containment 6. Evidence Gathering and Forensic Analysis 7. Eradication 8. Recovery 9. Post-Incident Activities -Incident Documentation -Incident Impact Assessment -Review and Revise Policies -Close the Investigation -Incident Disclosure

Incident Handling Response Steps

A process of taking organized and careful steps when reacting to a security incident or cyberattack.

Incident Handling and Response (IH&R)

A group of technically skilled people capable of carrying various functions, such as threat intelligence, evidence analysis, and investigating the users.

Incident Handling and Response (IH&R) Team

The process of determining all types of losses occurred because of the incident.

Incident Impact Assessment

A set of defined processes to identify, analyze, prioritize, and resolve security incidents to restore normal service operations as quickly as possible and prevent future reoccurrence of the incident.

Incident Management

A process of developing a strategy to address the occurrence of any security breach in the system or network.

Incident Response

The process of superseding the manual IR actions with automatic IR actions using machines and tools.

Incident Response Automation

An approach to respond to the security incidents that occurred in an organization.

Incident Response Orchestration

Observing the behavior of an individual when alone, whereas group profiling is observing a person's behavior in a group.

Individual Profiling

Individuals who try to attack the companies for commercial purposes.

Industrial Spies

Can be defined as a piece of information identified as important to an organization.

Information Asset

Defined as "a state of well-being of information and infrastructure in which the possibility of theft, tampering, and disruption of information and services is kept low or tolerable."

Information Security

A network or host activity that impacts the security of information stored on network devices or systems with respect to confidentiality, integrity, and availability.

Information Security Incident

Defines the basic security requirements and rules to be implemented in order to protect and secure organization's information systems.

Information Security Policy

The use of information and communication technologies (ICT) to take competitive advantages over an opponent.

Information Warfare or InfoWar

Web application vulnerabilities that allow untrusted data to be interpreted and executed as part of a command or query.

Injection Flaws

A web application vulnerability where input from a client is not validated before being processed by web applications and backend servers.

Input Validation Flaws

Any employee (trusted person) having access to critical assets of an organization.

Insider

An attack by someone from within an organization who has authorized access to its network and is aware of the network architecture.

Insider Attack

A threat that originates from people within the organization; it is typically carried out by a privileged user, disgruntled employee, terminated employee, accident-prone employee, third party, or undertrained staff.

Insider Threat

Review Log Files Look for Indicators of unexplained financial gain Look for Deleted Log files User alerting mechanism ? Not sure which one.

Insider Threat Detection

ObserveIT - Monitors user behavior DataRobot - Automated Machine Learning platform to detect Insiders Ekran System - User-based insider threats SS8 Insider Threat Detection CyberArk Netwrix Auditor insightIDR Splunk UBA

Insider Threat Detection Tools

The trustworthiness of data or resources in the prevention of improper and unauthorized changes—the assurance that information is sufficiently accurate for its purpose.

Integrity

A sensor-based technology that directly corrupts technological systems.

Intelligence-based Warfare

Belksoft Regscanner MultiMon Process Explorer Security Task Manager MetaData HstEx XpoLog

Other Forensic Tools

Sumo Logic Splunk cloud Papertrail Logz.io Timber

Other cloud based Analysis Tools

The calculation of probability that a threat source exploits an existing system vulnerability.

Likelihood Analysis

Organizations have limited Control Prone to outages and other issues Security Privacy and compliance issues Contract Lock-ins Depends on network connection

Limitations of Cloud Environment

Top - Displays system summary info W - Displays Current processes for each user PS - info about roots processes pstree - displays in a tree form

Linux Processes running

netstat TCP View Currports Dot.com Monitor Port Expert PRTG Network Monitor Nagies Port Monitor

Live Port Monitoring Tools

The process of acquiring volatile data from a working computer (either locked or in sleep condition) that is already powered on.

Live/Volatile Data Acquisition

An attack where an attacker exploits vulnerable inclusion procedures implemented in the web application.

Local File Injection (LFI)

Virus Total Jotti Metadefender Online Scanner IObit Cloud Threat Expert Valkyrie Dr. Web online Scanner Upload Malware Threat Analyzer Payload Security Anubis Windows Defender Bitdefender

Local and Online Malware Scanning Tools

Loggly SolarWinds and Even Manager Netwrix Log Fusion Alert Logic Event Tracker Process Lasso Pro Splunk

Log Analysis Tools

A coding flaw that causes performance issues in the application or website and results in undesired or unwanted output.

Logic Error

Tripwire- can be used to monitor changes of assets in the cloud environment and generate alerts

MITC Attack Detection Tool

Repeated email messages

Mail Bombing

Flurry of messages

Mail Storming

Blackhat search engine optimization Social Engineering - Click Jacking Spearphising Sites Malvertizing Comprimise Legitimate Websites Drive by Downloads Spam Email

Malware Distribution

Analyze Binary Codes File Fingerprinting

Memory Dump Analysis

Bintext Floss Strings Free Exe DLL Hex Workshop

Memory Dump Analysis String Search Tools

Alternate Data Streams

Memory Residents

Programs that always remain in the internal memory and operating system have no permissions to swap them out to external storage.

Memory Residents

The information that stores details of data.

Metadata

Best practices regarding information security by NIST under FISMA law

NIST 800 Special Pub

Special publication step by step guide for incident response

NIST 800-61

A structured and continuous process that integrates information security and risk management activities into the system development lifecycle (SDLC).

NIST Risk Management Framework

The collection of computers and other hardware connected by communication channels to share resources and information.

Network

ns-3 Riverbed Modeler Qualnet

Network & Internet Simulators for Malware Analysis

-Windows tool to collect info about network -a displays all active connections -b Displays the executable involved -e displays ethernet stats -n active TCP connections expressed numerically -o displays PID -p Displays protocol -r shows routing table

Network Command: netstat

- Troubleshoot netbios name resolutions -C shows the cache -n shows names registered locally -r resolve through broadcast -s current sessions

Network Commands Nbstat

What kinds of tools are these? Capsa Wireshark Nessus PRTG GFI Languard Netfort LAN Guardian Network Analyzer Microsoft Network Monitor Manage Engine OP Manager

Network Monitor Tools

Suricata- real time IDS ntopng- web-based network traffic monitor Wireshark Colasoft OmniPeek Observer

Network Tools for Validation of Suspicious Events

A way to guarantee that the sender of a message cannot later deny having sent the message, and that the recipient cannot deny having received the message

Non-repudiation

The permanent data stored on secondary storage devices, such as hard disks and memory cards.

Nonvolatile Evidence

TCP.flags==0X000

Null Scan Attempts

Information warfare that involves attacks against ICT assets of an opponent.

Offensive Information Warfare

The process of combining human, processes, and technologies to gain better results.

Orchestration

Professional hackers having an aim of attacking a system for profits.

Organized Hackers

Qualys Cloud Platform Azure Security Centre Nessus Enterprise for AWS Symantec Cloud Workload Alert Logic

Other Cloud Security Tools

Payment card standards.

PCI DSS

A program used to compress or encrypt the executable programs.

Packer

A process of monitoring and capturing all data packets passing through a given network by using a software application or a hardware device.

Packet Sniffing

Refers to tracing back attack traffic.

Packet Traceback

A collection of words, letters, numbers, and/or special characters used for security processes such as user authentication or to grant access to a resource.

Password

A proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.

Payment Card Industry Data Security Standard (PCI DSS)

Also known as phlashing also bricking a system

Permanent DOS

Also known as phlashing, purely targets hardware causing irreversible damage to the hardware.

Permanent DoS (PDoS) Attacks

Also known as domain spoofing, is an advanced form of phishing in which the attacker redirects the connection between the IP address and its target server.

Pharming

Redirects to another website- also called Phishin without a lure

Pharming

A practice of sending an illegitimate e-mail falsely claiming to be from a legitimate site in an attempt to acquire a user's personal or account information.

Phishing

Netcraft Phish Tank

Phishing Tools

A set of guidelines used to achieve goals and objectives of incident response initiative set by the IH&R plan.

Policy

Also known as the recommendation phase, which is performed after the risk assessment.

Post Assessment Phase

Which phase is this? setup lab, build workstation, develope toolkit

Pre-Investigate Phase

The preparatory phase, which includes defining policies and standards, defining the scope of assessment, designing appropriate information protection procedure, and identifying and prioritizing the critical assets to create a good baseline for the vulnerability management.

Pre-assessment Phase

Train employees to detect social engineering attempts conduct security awareness training Brief employees on how to identify suspicious espionage events Prohibit employees from disclosing confidential info Strict password management Principle of least privilege

Preparing to Handle the Insider Threat

Also known as internal or corporate cloud, is a cloud infrastructure that a single organization operates solely.

Private Cloud

Persons with unlimited permissions to the systems, such as user end points, organization data, cloud services, customer data, etc.

Privileged Users

process explorer m/monit eset sysinspector system explorer security task manager

Process Monitoring Tools

PromqryUI Nmap --script=sniffer-detect (ipaddress)

Promiscuous Detection Tools

SYN Flood ACK floor TCP connection flood attack TCP state exhaustion attack Fragmentation attack RST Attack

Protocol Attacks

Small Organizations

Puddle Phising

A type of a malware, which restricts access to the computer system's files and folders and demands an online ransom payment to the malware creator(s) in order to remove the restrictions.

Ransomware

In the gathering of information, attackers make an attempt to gather the target network's crucial information and perform the attacks.

Reconnaissance

A significant step for restoring whatever services or materials might have been affected during an incident.

Recovery

Hackers who hack to learn and explore, by exploiting or manipulating technology.

Recreational Hackers

JV16 Power Tools 2017 - Cleans registry Regshot Reg Organizer Registry Viewer Reg Scanner Registrar

Registry Monitoring Tools

The connection between digital evidence and the fact that is to be proved.

Relevance

The steps that are taken to mitigate the found vulnerabilities such as evaluating vulnerabilities, locating risks, and designing responses for the vulnerabilities, etc.

Remediation

A technique that targets underlying web application vulnerabilities and launch attacks from a remote server.

Remote File Injection (RFI)

A situation involving exposure to danger (or) the possibility that something unpleasant or unwelcome will happen.

Risk

Identification of risks, estimation of impact and determining sources to recommend proper mitigation measures.

Risk Assessment

PILAR A1 Tracker Risk Management Studio

Risk Assessment Management Tools

Preventing the risk by curbing the cause of the risk and/or consequence.

Risk Avoidance

A crucial task in a risk assessment effort. It is a complex process and depends upon various tangible and intangible factors.

Risk Determination

An assessment of the resulted impact on the network.

Risk Level

A set of policies and procedures to identify, assess, prioritize, minimize, and control risks.

Risk Management

A process that is designed to identify, eliminate, or mitigate the risks that can cause damage to the organizational network and systems.

Risk Management Plan

Scales the risk occurrence/likelihood probability along with its consequences or impact.

Risk Matrix

A strategical approach to prepare for handling risks and reduce its impact on the organizations.

Risk Mitigation

What are these? 1. Identify Crime Scene 2. Protect Crime Scene 3. Protect Fragile Evidence 4. Collect Info about incidents 5. Document All Findings 6. Package and transport the electronic evidence

Roles for First Responders

netstat -ab shows all executables List DLL$ - determines all DLL's loaded PsList - Basic info on running processes

Running Processes

schtask - Windows Task Monitor MoTaSh ADAudit CronitorCLI Solarwinds Windows Task Scheduler

Schedule Task Monitoring Tools

Snag It Jing Camtasia Ezvid

Screen Capture Tools

Unskilled hackers who compromise systems by running scripts, tools, and software developed by real hackers.

Script Kiddies

A data processing process that is used to analyze the user activities within a certain time period.

Sessionization

Stealing credit/debit card numbers by using special storage devices called skimmers or wedges when processing the card.

Skimming

The art of convincing people to reveal confidential information.

Social Engineering

spam for instant messaging

Spimming

Autoruns Win Patrol Quick Startup StartEd Chameleon BootRacer Wintools.net EF Startup PC Startup CC cleaner Startup Delayer

Start Up Tools

Individuals employed by the government to penetrate and gain top-secret information and to damage information systems of other governments.

State Sponsored Hackers

Nonvolatile data, which does not change its state after the system shut down.

Static Data

The process of extracting and gathering the unaltered data from storage media.

Static Data Acquisition

A technique of hiding a secret message within an ordinary message and extracting it at the destination to maintain confidentiality of data.

Steganography

Prepare - performing audits of resources and deterimine the purpose of security defining rules policies and procedures.

Step 1 IH&R

Incident Recording - Initial recording of the incident takes place. Identification of an incident. Reports suspicious behavior or submit ticket.

Step 2 IH&R

Triage - Incident will be analyzed and categorized to be prioritized.

Step 3 IH&R

Notification - The incident will be made known to the appropriate stake holders.

Step 4 IH&R

Containment - Simultaneous with notification, containment prevent the spread of the incident.

Step 5 IH&R

Evidence Gathering and Forensics - this is the phase where all of the evidence is gathered.

Step 6 IH&R

Eradication - The team will begin to remove the incident and patch the systems to prevent further spread.

Step 7 IH&R

Recovery - Restoring the affected systems will begin in this phase.

Step 8 IH&R

Post Incident Activities - 1. Documentation 2. Impact Assessment 3. Review and Revise Policies 4. Close the investigation 5. Incident Disclosure

Step 9 IH&R

Vulnerability analysis Artifact analysis Security Awareness training Intrusion Detection Public or technology monitoring

Steps of Incident Handling

A programming language meant for database management systems.

Structured Query Language (SQL)

Individuals who aim to bring down the critical infrastructure for a "cause" and are not worried about facing jail terms or any other kind of punishment.

Suicide Hackers

Mirekusoft Install Monitor Sys Analyzer Advanced Uninstaller Pro Revo Uninstaller Commando Program Manager

System Installation Monitoring Tools

net statistics server PSUptime (Windows) net statistics (Windows) Uptime and W (Linux)

System Uptime

The organization's direct expenditure due to incident.

Tangible Cost

insertion Attack Evasion Denial-of-Service Attack Obfuscating False Positive Generation Session Splicing etc.

Techniques to evade IDS

The organizational resources which are attacked by the threat actors in order to gain a complete control or steal the information for launching further attacks on the organization.

Threat Target and Assets

The collection and analysis of information about threats and adversaries and drawing patterns that provide an ability to make knowledgeable decisions for the preparedness, prevention, and response actions against various cyberattacks.

Threat Intelligence

An undesired event that attempts to access, exfiltrate, manipulate or damage the integrity, confidentiality, security, and availability of an organizational resource.

Threat

A person or entity that is responsible for the incidents or has the potential to impact security of an organization's network.

Threat Actor

The process of examining, filtering, transforming, and modeling of acquired threat data for extracting threat intelligence.

Threat Assessment

The process of identifying and attributing actors behind an attack, their goals and motives along with the sponsors

Threat Attribution

The process of assessing the threats and their impacts in various conditions.

Threat Contextualization

Helps organizations to monitor, detect, and escalate various evolving threats from the organizational networks.

Threat Correlation

Hyper-V Parallel Desktop Boot Camp

Tools - Virtual Machines for Malware Analysis

KFSensor SSHHiPot Artillery

Tools for Detecting DoS/DDoS

arp.duplicate-address-detected or XArp Others ArpON ARP AntiSpoofer

Tools for Detecting Sniffing and Spoofing ARP Poisoning

AIDA64 Extreme

Tools for Inappropriate Usage Incidents

Genie Backup Manager Macrium R-Drive O & O Disk Image

Tools for Malware Analysis OS Backup and Imaging

Extract boot files WinHex TSK Autospy

Tools for Static Data

systeminfo.exe (Windows) PSInfo (Windows) Cat (Linux) Uname (Linux)

Tools for Volatile System Data

Cyber Triag Process Explorer PMDump ProcDump Process Dumper PsList Task LIST

Tools for volatile data

PoliteMail.com Yesware.com ContactMonkey.com Zendio.com ReadNotify.com didtheyreadit.com whatismyipaddress.com

Tracing Email back to sender tools

Software or hardware that defines a set of rules for HTTP conversation to filter out malicious data.

Web Application Firewall (WAF)

The process of obtaining illegal access to the systems or network resources to steal or damage information.

Unauthorized Access

The platform in a cloud that allows the clients to install virtual machines, systems, and servers required to run applications.

Virtualization

The temporary information on a digital device that requires a constant power supply and is deleted if the power supply is interrupted.

Volatile Evidence

Data stored in the registries, cache, and RAM of digital devices.

Volatile Information

Rekall Memdump MemGator

Volatile Memory Tools

measured in bits per second

Volumetric DDOS

The existence of weakness, design, or an implementation error that, when exploited, leads to an unexpected and undesirable event compromising the security of the system.

Vulnerability

Qualys Nessus OpenVAS AlienVault OSSIM

Vulnerability Analysis Tools

An examination of the ability of a system or application, including current security procedures and controls, to withstand assault

Vulnerability Assessment

Identifying vulnerabilities in the organization infrastructure including the operating system, web applications, web server, etc.

Vulnerability Assessment Phase

An important process that helps in finding and remediating security weaknesses before they are exploited.

Vulnerability Management Life Cycle

The process of discovering vulnerabilities and design flaws that will open a network, operating system, and its applications to attack or misuse.

Vulnerability Research

An unbounded data communication system that uses radio frequency technology to communicate with devices and obtain data.

Wireless Network

anti-abuse API AutoShun Cisco Umbrella Alexa Top 1 Million sites

WhiteListing/Blacklisting Tools

SrvMan Advanced Windows Service Manager Netwrix Service Monitoring Anvir Task Manager Service + Easy Windows Service Manager Nagis XI Windows Service Monitor PC Service optimizer Smart Utility

Windows Service Monitoring Tools

tcp.flags==0X029

Xmas Scan Attempts


Set pelajaran terkait

BIOL 122 3/20 Biotechnology (End)

View Set

Chapter 6 - Topical Anesthetic Agents

View Set

Ch. 4; Cell anatomy and physiology - Part 2

View Set

Manhattan Prep GRE 1000+ Mega Test

View Set