count backwards the 4th week

deploy a VPN technology with granular access controls for applications that are enforced at the gateway. Which VPN technology is best suited to this requirement?

A TLS VPN (sometimes called an SSL/TLS VPN) is typically the chosen solution when application filtering is required. Since TLS VPNs operate at the session layer, they can make decisions based on users and groups, as well as specific commands, application content, or URLs. IPsec VPNs can support all IP application and simply appear to be an IP network.

Measured Boot

A UEFI feature that gathers secure metrics to validate the boot process in an attestation report

Secure Boot

A UEFI feature that prevents unwanted processes from executing during the boot operation

Ric is working on reverse-engineering a malware sample and wants to run the binary but also control the execution as it occurs. What type of tool should he select for this?

A debugger Debuggers allow you to control the execution of a program by setting breakpoints, changing input data and variables, and otherwise controlling the execution of the program. Disassemblers and decompilers can provide insight into the code of a binary an unpacker helps remove compression or encryption used to help obfuscate the code itself.

Fuzzing

A dynamic code analysis technique that involves sending a running application random and unusual input to evaluate how the application responds Fuzzing is a technique designed to test software for bugs and vulnerabilities ▪ Application UI ▪ Protocol ▪ File Format Fuzzers may craft input using semi-random input or specific inputs

Debugger

A dynamic testing tool used to analyze software as it executes A debugger allows you to pause execution and to monitor/adjust the value of variables at different stages

eFUSE

A means for software or firmware to permanently alter the state of a transistor on a computer chip

Although both Secure Boot and Measured Boot processes rely on a chain of trust, only one validates the objects in the chain. Which technology does this and what process does it follow?

A secured boot chain validates the boot objects using private keys to check against public keys already in the BIOS. Secured Boot uses cryptographic signatures for executables to check each object against known public keys stored in the BIOS of the system that is running the Secured Boot.

Structured Threat Information eXpression (STIX)

A standard terminology for IoCs and ways of indicating relationships between them that is included as part of the OASIS Cyber Threat Intelligence (CTI) framework STIX is expressed in JavaScript Object Notation (JSON) format that consists of attribute: value pairs

Unified Extensible Firmware Interface (UEFI)

A type of system firmware providing support for 64-bit CPU operation at boot, full GUI and mouse operation at boot, and better boot security

Remote Code Execution

A vulnerability that allows an attacker to transmit code from a remote host for execution on a target host or a module that exploits such a vulnerability

Megan wants to check memory utilization on a Macintosh system. What Apple tool can she use to do this?

Activity Monitor macOS has a built-in memory monitoring tool as part of the Activity Monitor. It will show you details, including how much memory the system has, what is used by applications and the operating system, how much space is taken up by cached files to improve system performance, how much space is used on your disk for swap space, and how efficiently your memory is being used in the form of a statistic called memory pressure.

Which software development life cycle model is illustrated in the image?

Agile The Agile software development methodology is characterized by multiple sprints, each producing a concrete result. The Waterfall model follows a series of sequential steps, whereas the Spiral model uses multiple passes through four phases. Rapid Application Development (RAD) uses a five-phase approach in an iterative format.

After submitting a suspected malware package to VirusTotal, Damian receives the following results. What does this tell Damian?

Antivirus vendors use different names for the same malware. Each antivirus or antimalware vendor uses their own name for malware, resulting in a variety of names showing for a given malware package or family.

Martin would like to take steps to confirm the reliability of employees and avoid situations where employees might be susceptible to blackmail attempts to obtain the plans. Which one of the following controls would be most effective to achieve that goal?

Background investigation only a background investigation is likely to uncover information that might make a potential employee susceptible to blackmail.

alert tcp $EXTERNAL_NET any -˃ 10.0.10.0/24 80 (msg:"Alert!"; content:"http|3a|//www.example.com/download.php"; nocase; offset:12; classtype: web-application-activity;sid:5555555; rev:1;) What type of detection method is Adam using?

Behavioral-based Adam's Snort rule is looking for a specific behavior, in this case, web traffic to example.com's download script.

capture forensic data from a Windows PC and needs to ensure that she captures the data in their order of volatility. Which order is correct from most volatile to least volatile?

CPU cache, network traffic, disk drives, optical media The order of volatility for common storage locations is as follows: 1. CPU cache, registers, running processes, RAM 2. Network traffic 3. Disk drives 4. Backups, printouts, optical media

While reviewing the filesystem of a potentially compromised system, Marta sees the following output when running ls -la. What should her next action be after seeing this?

Check the passwd binary against a known good version The passwd binary stands out as having recently changed. This may be innocuous, but if Marta believes the machine was compromised, there is a good chance the passwd binary has been replaced with a malicious version. She should check the binary against a known good version, and then follow her incident response process if it doesn't match.

earnestnessrealsitetest.com rvcxestnessrealsitetest.com hjbtestnessrealsitetest.com agekestnessrealsitetest.com sgjxestnessrealsitetest.com igjyestnessrealsitetest.com zxahestnessrealsitetest.com zfrpestnessrealsitetest.com hdquestnessrealsitetest.com umcuestnessrealsitetest.com hrbyestnessrealsitetest.com ysrtestnessrealsitetest.com kgteestnessrealsitetest.com hfsnestnessrealsitetest.com njxfestnessrealsitetest.com What has he likely found in the malware package?

DGA Domain names like those listed are a common sign of a domain generation algorithm (DGA), which creates procedurally generated domain names for malware command and control hosts.

ensure that her organization's cybersecurity team reviews the architecture of a new ERP application that is under development. During which SDLC phase should Mia expect the security architecture to be completed?

Design Security artifacts created during the Design phase include security architecture documentation and data flow diagrams.

When the manager opens a document, website, or other application that takes user input, words start to appear as though they are being typed. What is the first step that Ben should take in his investigation?

Disconnect the system from the network the best response is typically to isolate it from other systems and networks that it could negatively impact. By disconnecting it from all networks, Ben can safely investigate the issue without causing undue risk.

What major differences exist between reconnaissances of a wired network versus a wireless network?

Encryption and physical accessibility most wired networks do not use end-to-end encryption by default and that wireless networks are typically more easily accessible than a wired network that requires physical access to a network jack or a VPN connection from an authorized account. Port security is used only for wired network connections.

FAT32 and NTFS

FAT32 can be converted to NTFS but it is not so easy to convert NTFS back to FAT. NTFS has great security, file by file compression, quotas and file encryption. If there is more than one operating system on a single computer, it is better to format some volumes as FAT32. if you'd like to use the USB on older computers, or non-PC systems like digital picture frames, TV sets, printers or projectors, choose FAT32 because it is universally supported. If you are choosing a file system for the backup hard drive, select NTFS.

Microsoft Windows OLE Remote Code execution vulnerability

Failure to perform input validation In a remote code execution attack, the attacker manages to upload arbitrary code to a server and run it. These attacks are often because of the failure of an application or operating system component to perform input validation.

After completing the first round of tests for her organization's mobile application, Olivia has discovered indications that the application may not handle unexpected data well. What type of testing should she conduct if she wants to test it using an automated tool that will check for this issue?

Fuzzing Fuzz testing involves sending random or invalid data to an application to test its ability to handle the unexpected data.

After creating a new set of encryption keys for an SSH key, Allan inadvertently uploads them to GitHub, What options does he have to fix this issue?

He needs to generate a keypair and replace it wherever it is in use. Once your private key has been exposed, your only option is to remove the keypair from use and to replace it wherever it is in use.

he simply pull the power cable rather than doing a software-based shutdown. Why might Jack choose to follow this advice?

It will prevent shutdown scripts from running. If the system contains any shutdown scripts or if there are temporary files that would be deleted at shutdown, simply pulling the power cable will leave these files in place for forensic analysis.

Rhonda reviews the account rights in an Active Directory domain for every administrative user and removes any rights to directories or systems that should no longer be available to the administrative users. What type of review is this?

Manual review Manual review techniques are useful when automation is difficult or where human knowledge is required. A manual review of accounts, permissions, configurations, and clearance levels at a given interval

Cynthia accesses the registry and checks \\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogin. What domain was the system connected to, and what was the username that would appear at login?

No domain, admin (default domain name has no value), and the default user is admin.

What tool should he use to get the most useful information about system vulnerabilities?

OpenVAS OpenVAS is a full-system vulnerability scanner. Wapiti is a web application scanner, ZAP is an attack proxy used for testing web applications nmap is a port scanner.

What type of file is commonly used to store configuration settings for macOS systems?

Plists Luke should expect to find most of the settings he is looking for contained in plists, or property lists, which are XML files encoded in a binary format

NOT a valid use case for live forensic imaging?

Postmortem forensics Postmortem forensics can typically be done after shutting down systems to ensure that a complete forensic copy is made

Local and domain administrator accounts, root accounts, and service accounts are all examples of what type of account?

Privileged accounts Privileged accounts typically include local and domain administrators, SA and other accounts that manage databases, root accounts, and other administrative accounts on Linux and Unix systems, service accounts, and similar accounts on network and other devices.

NIST Cybersecurity Framework. He is specifically interested in the organization's external participation and determines that the organization has a good understanding of how it relates to customers on cybersecurity matters but does not yet have a good understanding of similar relationships with suppliers. What tier rating is appropriate for this measure?

Risk Informed In a risk-informed external participation effort, the organization understands its role in the larger ecosystem with respect to either its own dependencies or dependents, but not both. each tier is classed as Partial, Risk Informed, Repeatable, and Adaptive

ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) What should her next action be?

Run an antimalware scan of the system associated with the detection. Annie's best option is to conduct an antimalware scan with a tool capable of detecting the Dridex malware

Services, input fields in a web application, and communication protocols are all examples of what component of an attack surface evaluation?

Services, input fields, protocols, APIs, and other potential targets are all examples of attack vectors. A specific path by which a threat actor gains unauthorized access to a system ▪ Cyber ▪ Human ▪ Physical

Jennifer is reviewing her network monitoring configurations and sees the following chart for a system she runs remotely in Amazon's Web Services (AWS) environment more than 400 miles away. What can she use this data for?

She can use this data to determine a reasonable response time baseline. Jennifer can use this info to help build her baseline for response time for the AWS server

describe an actor that is responsible for APT-level attacks. What STIX threat actor sophistical level best fits this type of actor?

Strategic According to the STIX 2.0 taxonomy, state actors like those that are responsible for APT-level attacks are classified as strategic.

What two pieces of information does nmap need to estimate network path distance?

TTL and OS nmap can combine operating system identification and time to live (TTL) to take a reasonable guess at the number of hops in the network path between the scanner and a remote system. The operating system guess will provide the base time to live, and the TTL counter will decrement at each hop. Given these two pieces of information, nmap takes an educated but often very accurate guess.

While Chris is attempting to image a device, he encounters write issues and cannot write the image as currently set. What issue is he most likely encountering?

The destination drive is formatted FAT32 FTK Imager Light is shown configured to write a single large file that will fail on FAT32-formatted drives where the largest single file is 4 GB. If Chris needs to create a single file, he should format his destination drive as NTFS. In many cases, he should simply create a raw image to a blank disk instead!

least likely to show signs of phishing or other email-based attacks?

The email signature block

Time of Check to Time of Use (TOCTTOU)

The potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource o How can you prevent race conditions and TOCTTOU? 1. Develop applications to not process things sequentially if possible 2. Implement a locking mechanism to provide app with exclusive access

Cyber Threat Intelligence

The process of investigating, collecting, analyzing, and disseminating information about emerging threats and threat sources to provide data about the external threat landscape ▪ Narrative reports ▪ Data Feeds You don't use narrative reports or data feeds... you use both!

Software Development Life Cycle (SDLC)

The processes of planning, analysis, design, implementation, and maintenance that governs software and systems development It is important to integrate security controls into each stage of the SDLC

the scan result reported a blind SQL injection

The result is a false positive Blind SQL injection vulnerabilities are very difficult to detect and are a notorious source of false positive reports.

Manish noticed that all the vulnerabilities were no longer active; however, ports 137, 139, and 445 were still showing as open. What most likely happened?

The server was patched. The system is showing normal ports for a Windows file server. It is most likely that Manish's escalation to management resulted in action by the server administrator.

SLE

The single loss expectancy (SLE) is the amount of damage expected to occur as the result of a single successful attack.

discovered a critical vulnerability in one of his organization's database servers during a routine vulnerability scan. When he showed the report to a database administrator, the administrator responded that they had corrected the vulnerability by using a vendor-supplied workaround because upgrading the database would disrupt an important process. Larry verified that the workaround is in place and corrects the vulnerability. What is the most likely cause of this report?

The vulnerability scanner depends on version detection.

user12@workstation:/home/user12# ./john -wordfile:/home/user12/mylist.txt -format:lm hash.txt What is the user attempting to do?

They are attempting to crack hashed passwords. Azra's suspicious user appears to be attempting to crack LANMAN hashes using a custom word list. The key clues here are the john application, the LM hash type, and the location of the word list.

How is integrated intelligence most commonly used in a firewall system?

Threat intelligence is used to provide IP info for rules. Threat intelligence feeds may be used to build rules, however unlike option B, threat feeds typically aren't used to build rules in real time for firewall devices. Firewalls typically do not analyze their own logs and build STIX feed entries, nor do they know about threat actor names, resources, and threat levels.

A SQL injection exploit typically gains access to a database by exploiting a vulnerability in a(n)

Web application SQL injection vulnerabilities target the data stored in enterprise databases, but they do so by exploiting flaws in client-facing applications. These flaws are most commonly, but not exclusively, found in web applications.

ensure that user awareness, documentation, and other tasks are accomplished and tracked as new infrastructure is added and modified. What type of tool should they acquire?

a change management tool Amanda's organization needs to invest in change management tools and techniques to ensure that changes are tracked and that the tasks and procedures that go with those changes occur. An IDE (integrated development environment) is used for programming rather than for this type of task.

Lucca wants to ensure that his Windows logs capture events for one month. What setting should he change in the settings to ensure this?

change the setting to archive the log when full.

she is unable to meet one of the requirements because of a technical limitation in her point-of-sale system. She decides to work with regulators to implement a second layer of logical isolation to protect this system from the Internet to allow its continued operation despite not meeting one of the requirements. What term best describes the type of control Piper has implemented?

compensating control

What does this flow entry most likely show if 10.2.2.3 is not a system on her network? Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port 2017-07-11 13:06:46.343 21601804 TCP 10.1.1.1:1151->10.2.2.3:443 2017-07-11 13:06:46.551 21601804 TCP 10.2.2.3:443->10.1.1.1:1151 Packets Bytes Flows 9473640 9.1 G 1 8345101 514 M 1

data exfiltration Large data flows leaving an organization's network may be a sign of data exfiltration by an advanced persistent threat.

Renee is conducting due diligence on a potential vendor. Which one of the following information sources would be most useful to her?

independent audit results the most useful item would be the results of an independent security assessment that evaluates the vendor's security controls.

Ricky discovered a vulnerability in an application where privileges are checked at the beginning of a series of steps, may be revoked during those steps, and then are not checked before new uses of them later in the sequence. What type of vulnerability did he discover?

race condition This is a classic example of a time-of-check/time-of-use (TOC/TOU) attack, which exploits a race condition in application code.