Cyber Final

What are the two possible techniques for sharing the mobile radio spectrum on the 'first hop' between the edge devices and the base station?

- (CDMA) Code Division Multiple Access - FDMA/TDMA combined

The costs of malicious cyber attacks in 2016 were estimated to be between $57B and $109B a study by the President's Council of Economic Advisors. Rank the types of costs below in increasing order of magnitude (1 = least costly, 5 = most costly).

- 1 = Regulatory penalties - 2 = Cybersecurity improvements - 3 = Reputational damage - 4 = Court settlements - 5 = Loss of intellectual property

A Northrup Grumman study found that Chinese data theft attacks often packaged data in packed, encrypted files of 650MB size the reason(s) for this were: (choose all that apply)

- 650 MB file size facilitates physical exfiltration because an insider could copy to CDs - Encryption obscures what data was stolen if/when breach is discovered

Match the following technical cybersecurity roles with their function

- Access administrator = ensures that users' privileges on the network are consistent... - Security incident responder = isolates systems and portions of the network... - Network intrusion analyst = monitors all of the organizations networks... - Security device administrator = maintains and configures firewalls... - Environment assessment team = scans for known vulnerabilities...

Match the following supervisory cybersecurity roles (typical for corporations) with their function:

- CISO = Single point of accountability... - Cybersecurity architect = develops overall cybersecurity strategy... - Audit Manager = Determines pass/fail criteria... - Auditor = executes the audit plan

Which of the following tactics were used by the Dutch police in the takedown of the Dark Web black market site, Hansa? (CHOOSE ALL THAT APPLY)

- Cooperation with other law enforcement agencies - Made a 'recovery key' available to users - Compromised encryption - Tricked users into uploading pictures NOT: - Installing malware that locked the users out

Which of the following have been most frequently targeted by Chinese cyber efforts in the US? (select three)

- Defense contractors - Tech and aerospace companies - Defense and Intelligence agencies

In order to mitigate potential Russian information operations during the 2018 US elections, US Cybercom took the following measures: (circle all that apply)

- Emails and texts directly to known 'trolls' - DDoS attacks against the Internet Research Agency

In 2007, Israel was able to neutralize Syrian air defenses while the Israeli Air Force bombed a suspected WMD facility in Syria. Richard Clarke speculates that this might have been accomplished by: (choose all that apply)

- Installing malware on the computer code controlling the Syrian network - Physically tapping into the fiber-optic cables of the Syrian network

Cryptocurrency is disruptive technology because: (CHOOSE ALL THAT APPLY)

- It provides a method for making anonymous transactions - It takes production and regulation of currency out of the hands of nation states

Which of the following are true of the DHS Einstein program? (select all that apply)

- It provides intrusion protection by filtering out malware and blacklisted IP addresses as well as operating sinkholes and honeynets to isolate suspicious traffic. - It was extended to allow the government to monitor certain data held by defense contractors - It's adoption by all Federal agencies was mandated by Congress NOT: - A principal goal is to ensure user's privacy is secure while operating on government networks

Russian cyber doctrine has some unique features that are not reflected in many other countries. Select the distinctively Russian features from this list:

- Leveraging the criminal and hacker communities in state cyber warfare roles - Tight integration of cyber with conventional armed forces

Match the following private sector cybersecurity resources to their description:

- MITRE = Federally Funded Research and Development Center... - SANS Institute = Private US non profit... - Honeynet.org = International non-profit - Krebs on Security = A cyber security blog... - Symantec = A for-profit company...

Match the following SCADA components with the most accurate description:

- MTU = Acts as a master controller... - RTU = Provides data acquisition... - HMI = Allows human operators... - PLC = Capable of controlling...

Because of the high level of education and training required, cyber warriors in the military are usually (select all that apply):

- More motivated by sense of duty and patriotism than by money - Underpaid and at risk of leaving the military for the civilian sector

Recent (2013, 2014) studies by US CERT and Idaho Labs studies revealed which of the following? (select all that are true)

- Over 60% of energy companies had been attacked - Russian malware - Black Energy - had been extensively deployed on the US power grid beginning as early as 2011

In the Extended Model of Cybercrime Investigations, match the following activities with the stages in which they occur:

- Search and Identification of Evidence: tracing traffic - Collection of Evidence: Imaging drives - Transport of Evidence: Physically transferring - Examination of Evidence: Repairing/Restoring NOT AN OPTION: Storing data...

Which of the following techniques were employed in the Target hack (circle all that apply)

- The 'Citadel' Trojan was used to present a false login screen - Credit card data was stolen when it was in an unencrypted state - Data was exfiltrated from specific servers within Target's internal network - Data was exfiltrated via open internet to 'dump servers'

Which of the following are true of wireless networks using the 802.11 set of protocols? (select all that apply)

- The access point broadcasts to all hosts within it's radio range - Can operate in passive or active scanning mode

Which are true about Operation Shadowhammer?

- The exploit propagated through a corrupted patch update - Some of the tools used were known to be linked with a Chinese APT - Some users in a Reddit forum questioned the abnormal grammar in the patch notification but trusted the installation due to the valid certificate and passed virus scans

Which of the following were true about the Stuxnet malware used to attack Iran's Natanz uranium processing facility? (Select all that apply)

- The malware would only attack the control system of a very specific configuration of Seimens PLC's controlling uranium centrifuge equipment - After the malware was discovered, but before its real target was known, DHS began investigating the malware out of concern for security of US infrastructure

TOR works by obscuring the original IP header information in successive layers of encrypted packet headers. This means that an eavesdropper cannot simultaneously determine (select two)

- The originating IP address of the TOR user - The destination IP addresses visited the TOR user

The following are true of "Script Kiddies" (select all that apply):

- They lack depth in cyber skills - Their attacks are often successful

Which of the following are often true of the legacy systems running industrial control systems (select all that are true)

- They were designed to control geographically distributed systems long before they were connected to the internet - They interface to many industry-specific sensors and actuators to sense the status of and exert control over physical equipment - They are increasingly being connected to the internet by commercial-off-the-shelf (COTS) 'wrappers' that interface proprietary protocols to internet protocols (TCP and UDP).

Forging authenticity for software by using stolen PKI Certs is (select all that apply)

- Very powerful because malware is received as 'trusted' software - Difficult but definitely possible since there are tens of thousands of companies that hold PKI certs to verify code and stealing from any of them give attackers a way to write 'trusted' code.

During the OPM breach, US CERT did not shut down the attackers access immediately. They slowed the exfiltration of information to a trickle and waited for certain conditions before shutting the attackers out. What were they waiting for? (Circle all that apply)

- Waiting for a scheduled power outage to the OPM systems - Ensuring that all remote access tools (RAT) had been found and removed from the system

The UK's National Cyber Security Centre (NCSC) has a cell dedicated to monitoring the supply chain threat from Huawei. The Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board has discovered which of the following in its analysis of Huawei? (Select all that apply)

- Zero identifiable backdoors - Poor coding practices that could lead to exploitable vulnerabilities

In her Master's thesis on informal norms regarding state-sponsored cyberattacks, Margarita Sallinen notes which of the following changes in US norms and moral viewpoints from 2010 to 2020? (choose all that apply.)

- the US views the threat of cyberwar more seriously than it did 10 years ago, even fearing widespread power outages - the US more openly acknowledges conducting cyber operations, where previously a "this is not who we are" attitude was the norm - the US continues to portray China and Russia as cyber aggressors NOT - the US is willing to consider military responses to cyber attacks

Approximately how many electrical generator stations make up the US power grid?

5,000

The Aurora test in 2007 was:

A limited DoE test in which an electrical generator was forced into failure by intentional manipulation of its timing controls

One resource that the US government can draw upon for cyber warfare expertise is the set of Federally Funded Research and Development Centers (FFRDC's) that concentrate on cyber issues. An FFRDC is:

A not-for-profit entity that can only accept funding from the Federal government for certain narrowly defined roles, as specified by Congress

US Cyber Command is:

A separate unified command, like CENTCOM (Central Command) and PACOM (Pacific Command)

The Low Orbit Ion Cannon (LOIC) was:

A simple network stress testing tool, modified to enable manual and semi-automated DDoS attacks

Which of the following is NOT an organization that publishes cyber security standards?

AFL/CIO

Libicki identifies four types of privacy. The type that protects the right to control information about oneself even if such information was generated in public, before complete strangers and is related to assembling data on your web searches, purchases, locations, etc. is:

Aggregate privacy

Iran has launched several cyber attacks and campaigns against the US, possibly in retaliation for Stuxnet. Which of these have NOT been targeted by Iran?

All have been attacked: - Banks and financial institutions - Oil production - Intellectual property - Dams

The hacker group "Anonymous" is motivated by:

All of the these

Attribution is difficult because (select all that apply):

All of them

Which of the following were typically offered by the Russian Business Network?

All of them: - "Bulletproof" servers providing anonymity and good quality service - Customer services such as "guarantors" who hold money until job is complete, and 24/7 business hours - Stolen administrator credentials - Money laundering

Select all of the following that are true of kernel mode rootkits.

All of them: - They can avoid detection by most anti-malware programs - They allow easy access to files, privilege escalation, and injecting code into running processes - They are relatively easy to produce - They are very valuable to hackers

The following factor or factors were key to the data theft from Office of Personnel Management:

All of these

A report published in March of 2018 by the FBI and DHS concluded which of the following about Russian infiltration of US infrastructure

All of these were findings of the report

Which of the following types of state-sponsored cyber attacks increased during the COVID-19 pandemic?

All of these: - Attacks on medical research facilities - Attacks on health care facilities - Spam and COVID disinformation - Critical infrastructure attacks

Which of the following can be accomplished by hacking the SS7 core network?

All of these: - Third party can eavesdrop on a conversation - Physical location of a phone user can be determined - A user's text messages can be received by a third party

Which of the following is true?

All of these: - In 2015 Russia attacked Ukraine's power grid and "blew bridges" to the human control interface, forcing manual resets - In 2016 Russia attacked Ukraine's power grid and installed software that would force safety circuits to remain closed instead of opening to prevent overvoltage, creating cascading failures - DHS/CERT has found Russian malware called "Black Energy" on many computers controlling the US power grid

The best defense against ransomware is:

Back up your data frequently to a removable drive

Attackers gained access to Target's networks

Because a 3rd party vendor with weak security was compromised and hackers used the 3rd party credentials to access Target

Detecting WannaCry by noticing the spike in SMB traffic on port 445 is an example of:

Behavior-based detection

Some proponents of cyber arms control appeal to the past success of international treaties limiting weapons of mass destruction. Which makes a stronger analogy to cyber weapons?

Biological weapons

Which of the following is true?

Both statements are true

The most successful means that APTs have to date found for gaining initial intrusion onto a network is:

Combining social engineering with email (phishing)

The malware used in the Target hack, BlackPOS, was (circle all that apply):

Commercially sold on the dark web for under $5,000

Regarding data breaches, which moral/ethical position holds that the client of a breached company has the responsibility for ensuring that they have given their data to a company that has adequate security, thus the client bears the risk?

Contractual view

A recent study of the literature on cybercrime from 2010-2020 found that the most cited paper focused on the topic of:

Cyberbullying

In the 2015 Russian attack on Ukraine's power grid, the main reason for the use of KillDisk was to:

Erase the Master Boot Record, destroying the operating system on machines needed to control the RTU's, making recovery over the network impossible

A 2014 study by Center for Study of Presidency and Congress published a number of specific legislative policy actions, which today form the backbone of US critical infrastructure protection policy. True or False

False

According to the Tallinn manual, nation-states should not be held accountable for allowing rouge groups or hacktivists to operate from within their borders or through their cyber infrastructure. True or False

False

Consumer devices on the internet of things are relatively safe from cyber-attack since there are so many different implementation standards it makes the hacker's job nearly impossible. True or False

False

In contrast to the Obama administration, the Trump administration strongly denounced the Russian campaign against critical infrastructure in March 2018, and the same day indicted 19 Russians for election hacking. This 'hard line' stance had a marked 'chilling' effect on Russian hacking against the US. True or False:

False

Roughly 95% of the content on the internet is on the "Dark web". True or False

False

The hack on a Predator drone by Iran was made possible by Iran obtaining military-grade exploits from Russia. True or False

False

The need to be seen as open and honest in the international arena puts pressure on Chinese Industry and Academia which counteracts the pressure from their military and intelligence communities, providing balance. True or False:

False

Under section 215 of the USA PATRIOT Act, the FBI can order anyone (particularly applied to telecommunications companies) to turn over business records for an authorized counterterrorism or espionage investigation, as long as the request is made publicly. True or False:

False

Which notorious piece of malware was deployed primarily in Iran; captured email, passwords, and even recorded Skype calls; and propagated by USB and LAN?

Flame

The attacker in the Maroochy incident gained his knowledge of the sewage distribution system by:

Having worked on the system himself as a contractor

When a wireless mobile device is traveling through several networks, it's location is discovered by anyone trying to reach it by first contacting the:

Home network

Which foreign-owned telecommunication equipment provider has been banned from selling to the US government?

Huawei

The acronym HMI refers to:

Human-Machine Interface

The Russian Business Network was eventually forced to cease operation in 2008 when its domain name, estdomain.com (Links to an external site.), was revoked by what authority?

ICANN

The 'WannaCry' ransomware worm was stopped from propagating by:

Invoking a 'kill switch' by establishing a web domain name, which the virus would check for before propagating

Among the challenges in policing cybercrime is a lack of knowledge that arises from failure of individuals and organizations to report cybercrime incidents when the occur. Which of the following is NOT a reason that organizations commonly let cybercrime go unreported?

Lack of awareness of proper reporting procedures

Hiding malware as system files, disguising code to run as normal system processes, and invoking user privileges to run programs and explore file structure are characteristics of:

Lateral Movement

What is a Ad Hoc mode for a wireless network?

No base station, nodes can only transmit (eg. Bluetooth)

The security plan for the hacked Predator comm link was:

No encryption, just don't publish the keys

When a data breach is detected, the first steps the victim organization should be

Observe the intruder's actions to see what data they are taking, where the C2 nodes are, and what the extent of the breach is.

What is the primary difference between 3G and 4G network core architecture?

On 3G networks voice and data are transmitted separately over the telephone network and the internet, while on 4G both are transmitted over the internet.

The care-of-address in mobile routing is the address:

On the visited network where the mobile device currently resides

Operational Technology (OT) refers to systems that control physical equipment, while Information Technology (IT) refers to systems that are concerned with moving and processing data. Which is characterized by deep hierarchical structure, numerous protocols, and a need for highly precise timing?

Operational Technology

'Anonymous' launched Operation Payback to protest

PayPal, Amazon and major credit card companies boycott of Wikileaks

The Russian hackers targeting international anti-doping organizations used a wi-fi hacking tool known as a 'pineapple'. The purpose of the device was to:

Pose as a legitimate access point in order to spoof users into connecting to the pineapple - a man-in-the-middle attack

Stealing access tokens and targeting remote user credentials are characteristics of:

Privilege escalation

The acronym PLC stands for:

Programmable Logic Controller

The data stolen in the OPM breach could be used for:

Social engineering, including blackmail, of US personal holding security clearances

One of the reasons that the impersonation of James Stavridis' Facebook account was discovered relatively quickly was because

Stavridis was so prominent that many 'friends' questioned the impostor's authenticity

The fact that DoD restricts use of hardware from China, and Kaspersky software from Russia reflects their concern for:

Supply chain threat

Which of the following is NOT a requirement of effective ransomware?

Symmetric encryption keys tied to a Caesar cipher

The operator of the Dark Web black market known as the Silk Road was known by the pseudonym:

The Dread Pirate Roberts

According to the New York Times, the Saudi Crown Prince has enlisted the help of whom to aid in leveraging cyber to surveil and suppress dissidents?

The Israeli firm NSO

The network known as TOR (The Onion Router) was originally developed by:

The US Defense Department

Which is NOT true of the attack on the Bangledesh bank by the Lazarus group?

The attackers used a zero day exploit to penetrate the bank's firewall

How/when did Dutch police arrest the personas behind the Hansa Sting?

The personas still have not been found, thus making the longterm effects unclear

Beaconing is:

The practice of malware 'phoning home' through a backdoor, allowing an APT to expand their access to a compromised network

According to Libicki, which of the following is NOT true of China's strategy for cyber dominance.

They have dominated the market for cyber technology, producing more semiconductor chips than any other nation, and rivaling the US in advanced software production.

Which of the following "5 Pillars" of the 2018 DHS Cyber Strategy has an offensive operations component?

Threat Reduction

The idea that trust can be quantitatively measured by common backgrounds, mutual friends, and frequency of interaction is referred to in network analysis as:

Transitive trust

According to the Tallinn manual (and the ethical principle of Just Warfare), a nation-state can respond to a cyber attack with either cyber or conventional weapons, as long as the response is proportional. True or False

True

Incorporation of COTS components to connect ICS to the 'regular' internet may actually weaken security, not only because of increased access, but also because standardization makes it easier to engineer attacks. True or False:

True

SCADA, PLC's, and DCS (distributed control systems) can be considered to be subsets of the larger category of industrial control systems (ICS). True or False:

True

A 3G wireless mobile phone network transmits:

Voice over the public telephone network, but data over the internet

Which of the following wireless encryption protocols is the strongest?

WPA2