Hacker Techniques Tools and Incident Handling

First Tier of Forensics

The first tier which is the preparation or collection phase involves the search, recognition, collection, and documentation of electronic evidence. To preserve the original evidence, this tier often required creating an image of the original digital media without disturbing its contents.

Fourth Tier of Forensics

The fourth or reporting tier includes documenting the results of the examination process and limitations of the investigation. Ideally, this phase will be enabled throughout the course of the investigation by features built into the digital forensic tools.

What is a Business impact analysis (BIA)?

The process of analyzing existing risk and using various strategies to minimize said risk

Second Tier of Forensics

The second tier is the examination phase, which helps to make digital evidence visible and explains its origins and significance. This includes revealing hidden or obscured information.

Third Tier of Forensics

The third tier is the analysis phase, which involves studying the product of the examination tier for its relative importance to the case under investigation.

What is anomaly detection?

Type of detection that uses a known model of activity in an environment and reports deviation from the model as potential intrusions.

A DoS attack on a router will revert it to a _______

fail-open state

What is a Cold site?

A backup location which is very inexpensive to maintain. Often does not contain backed-up copies of data and configurations, or necessary hardware in place, but does include basic facilities and power.

What is a Warm site?

A backup location which offers a balance between expense and outage time. Typically has some, if not all, necessary hardware in place with other items such as power and Internet connectivity already established. These site usually contain backups but they may be out of date by several days or weeks.

What is an Incident Response Plan (IRP)?

A plan including all the steps and details required to investigate a security breach.

What is a Hot site?

A top of the line backup location that provides little to no downtime but is a high expense. These sites have a high degree of synchronization with the primary site up to the point of completely duplicating it. Requires a high degree of complexity and cost but substantially reduces downtime.

In Linux, you issue commands from a command line using which of the following? A. A terminal window B. The KDE interface C. The GNOME interface D. The kernel

A. A terminal window

Which of the following are scripting languages? (choose two) A. Active X B. Java C. CGI D. ASP.Net

A. Active X C. CGI

Which of the following can limit the impact of worms? A. Antivirus software, firewalls, patches B. Anti-spyware, firewalls, patches C. Anti-worm software, firewalls, patches D. Anti-malware

A. Antivirus software, firewalls, patches

Web application are used for? A. Enabling dynamic content B. Streaming video C. Applying scripting D. Lack of input validation

A. Enabling dynamic content

A(n) _____ is a plan that defines the procedures for responding to a security threat. A. IRP B. DCP C. DRP D. None of the above

A. IRP

Monitoring __________ allows network analysts to see exactly which hosts may be compromised and what destination IP addresses employees are accessing. A. Internal network traffic B. External network traffic C. Cross-site scripting (XSS) D. The Damn Vulnerable Web Application (DVWA)

A. Internal network traffic

Which of the following is a desktop interface for Linux? A. KDE B. SUSE C. Ubuntu D. GPL

A. KDE

What is the core of the Linux operating system? A. Kernel B. Shell C. GUI D. VPN

A. Kernel

Covert channels work over A. Known channels B. Wireless C. Networks D. Security controls

A. Known channels

______ is used to fake a MAC address. A. Spoofing B. Flooding C. Poisoning D. Hijacking

A. Spoofing

______ record(s) a user's typing A. Spyware B. Viruses C. Adware D. Malware

A. Spyware

To establish a connection-oriented connection, a(n) __________ (SYN > SYN-ACK > ACK) is performed between the IP source and IP destination. A. Three-way handshake B. IP handshake C. IP address handoff D. connection handoff

A. Three-way handshake

A DoS attack is meant to deny a service from legitimate usage. A. True B. False

A. True

Active sniffing is used when switches are present A. True B. False

A. True

Backdoors on a system can be used to bypass firewalls and other protective measures A. True B. False

A. True

Because your Web browser is your main portal to the Internet, you need to be sure you have its latest version and to download all the updates. A. True B. False

A. True

In a phone-based attack, it is fairly easy for an attacker to make a call that appears to be coming from the CEO's office and win the trust of someone else in the organization. A. True B. False

A. True

Session hijacking is used to take over an authenticated session A. True B. False

A. True

Setting up a limited profile on Facebook gives you flexibility as to who is allowed to see which portions of a profile A. True B. False

A. True

Someone walking into an office and taking a file folder full of important data off a desk can be part of a social engineering attack? A. True B. False

A. True

The command mv is designed to move files. A. True B. False

A. True

Trojans are a type of malware A. True B. False

A. True

Trojans can be used to open backdoors on a system A. True B. False

A. True

Worms are designed to replicate repeatedly. A. True B. False

A. True

You should never use information posted about you online as the basis for your password or security hints. A. True B. False

A. True

____ attach(es) to files. A. Viruses B. Worms C. Adware D. Spyware

A. Viruses

Which command is used to list all the files and subdirectories in a given location? A. ls B. cd C. rm D. del

A. ls

Another location from which to conduct business in the event of a disaster is called a(n) ______

Alternate site

Social engineering scam involving Amazon and publicly available information

Amazon "Customer Service Backdoor"

What is a Network-based intrusion detection system (NIDS)?

An IDS that can detect suspicious activity on a network, such as misuse, SYN floods, MAC floods, or other similar behavior. The NIDS device monitors the network through the use of a network card that allows it to view all traffic through the switch

What is a Host-based intrusion detection system (HIDS)?

An IDS that can monitor activity on a specific host or computer. The HIDS extends only what is on the specific host, not on the network. This type of IDS can monitor access, event logs, system usages, and file modifications.

What is an IDS?

An Intrusion Detection System (IDS) is at tool that enables you to detect attacks on a network or host basis.

What percentage of companies are estimated to have policies regarding social networking? A. 15 percent B. 40 percent C. 75 percent D. 90 percent

B. 40 percent

____ runs completely from removable media. A. Linux B. A Live CD C. The kernel D. A Shell

B. A Live CD

Prevention of viruses and malware includes ______ A. Pop-up blockers B. Antivirus C. Buffer overflows D. All of the abolve

B. Antivirus

Sniffers can be used to A. Decrypt information B. Capture information C. Hijack communications D. Enforce Security

B. Capture information

Which of the following is a characteristic of adware? A. Gathering information B. Displaying pop-ups C. Intimidating users D. Replicating

B. Displaying pop-ups

Monitoring __________ allows information systems security practitioners to see who and what is attempting to infiltrate the IP network. A. Internal network traffic B. External network traffic C. Cross-site scripting (XSS) D. The Damn Vulnerable Web Application (DVWA)

B. External network traffic

BCP is used to defined the process and procedure used to clean up after a disaster. A. True B. False

B. False

Backdoors are an example of covert channels A. True B. False

B. False

If you really understand Facebook's privacy settings, you can arrange to keep everything in you profile private. A. True B. False

B. False

It's acceptable to use one password for all of your online financial accounts, as long as that one password is strong enough A. True B. Are you ****ing kidding me?

B. False

Multipartite viruses come in encrypted form A. True B. False

B. False

Scareware is harmless A. True B. False

B. False

Session hijacking is used to capture traffic A. True B. False

B. False

The command mv is used to remove empty directories. A. True B. False

B. False

The command used to display where you are in the file system is cd. A. True B. False

B. False

The stability of a Web server does not depend on the operating system. A. True B. False

B. False

The target of source code exploits is most often databases. A. True B. False

B. False

Viruses do not require a host program A. True B. False

B. False

Browsers do not display which of the following? A. ActiveX B. Hidden fields C. Java D. JavaScript

B. Hidden fields

Which of the following statements is true regarding building a baseline definition? A. In a real-world situation, a proper baseline definition can be built in a matter of minutes. B. Network engineers use baseline analysis to identify anomalies that could indicate problems. C. Baseline analysis involves a single tool and deals with small packet capture files. D. Baseline analysis only needs to be performed once, not as a regular part of network monitoring.

B. Network engineers use baseline analysis to identify anomalies that could indicate problems.

What technique is used when traffic is captured on a network with hubs A. Active sniffing B. Passive sniffing C. MAC flooding D. Ether flooding

B. Passive Sniffing

Which of the following challenges can a firewall solve? A. Protection against buffer overflows B. Protection against scanning C. Inadequate input validation D. Ability of a Web application to use nonstandard ports

B. Protection against scanning

Which of the following is designed to exploit applications that solicit the client to supply data that is processed in the form of SQL statements? A. Buffer overflows B. SQL injection C. Buffer injection D. Input validaton

B. SQL injection

What is a term for tricking or coercing people into giving up confidential information or otherwise violating security policy? A. Social media B. Social engineering C. Social networking D. Reverse social engineering

B. Social engineering

What type of device can have its memory filled up when MAC flooding is used A. Hub B. Switch C. Router D. Gateway

B. Switch

Which command is used to create new directories? A. cddir B. mkdir C. rmdir D. lsdir

B. mkdir

Which of the following is used to audit databases? A. Ping B. IPConfig C. NGSSquirrel D. XSS

C. NGSSquirrel

____ is designed to intimidate users A. Adware B. Viruses C. Scareware D. Worms

C. Scareware

Which is used to intercept user infromation? A. Adware B. Scareware C. Spyware D. A virus

C. Spyware

____ is known to disable protective mechanisms on a system such as antivirus software, anti-spyware software, and firewalls, and to report on a user's activities. A. Adware B. Scareware C. Spyware D. A virus

C. Spyware

Which of the following are used to gather additional packet data for Wireshark to send small files between clients and servers on the various machines? A. The Damn Vulnerable Web Application B. NetWitness Investigator C. The Tftpd64 application and FileZilla D. TCPdump and PuTTY

C. The Tftpd64 application and FileZilla

What is the front line of defense for cybersecurity in any organization? A. A carefully written set of policies governing acceptable use of corporate computers B. Federal laws that protect privacy C. The end user D. A solid firewall

C. The end user

______ are methods for transferring data in an unmonitored manner

Covert channels

Trojans are designed to be small and stealthy in order to: A. Bypass covert channels B. Bypass firewalls C. Bypass permissions D. Bypass detection

D. Bypass detection

TCPdump is a command line utility used to: Select one: A. Identify common network protocols. B. Identify network baseline definitions. C. Create network baseline definitions. D. Capture network traffic on a server.

D. Capture network traffic on a server.

Which of the following is one of the goals of Trojans? A. Sending data B. Changing system settings C. Opening covert channels D. Giving remote access

D. Giving remote access

Which of the following tools is a seven-layer protocol analyzer that is user friendly and provides detailed protocol analysis and protocol behavior analysis? A. TCPdump B. Wireshark C. Damn Vulnerable Web Application D. NetWitness Investigator

D. NetWitness Investigator

A network baseline definition is a record of A. Network breaches and failures. B. Audits performed on the network. C. Adherence to corporate policies. D. Normal network performance.

D. Normal network performance.

An attacker who gains the trust of a potential victim to the point where the victim volunteers information before the attacker tries to get it is said to have succeeded in what. A. Social media B. Social engineering C. Social networking D. Reverse social engineering

D. Reverse social engineering

What is a Business continuity plan (BCP)?

Defines how organization will maintain normal day-to-day business after security incident or other disruptive event

What is a Disaster recovery plan (DRP)?

Defines how personnel and assets will be safeguarded in the event of a disaster and how assets will be restored and brought back to an operating state after disaster passes

______ is the term for criminals' practice of going through industrial of corporate trash containers looking for information such as contact lists, manuals, memos, calendars, and printouts of important documents.

Dumpster diving

_____ is a combination malware and Trojan Horse RAT based on Stuxnet designed to spy on industrial control systems

Duqu

_____ Is a powerful preventive measure for stopping viruses.

Education and Anti-virus software

______ is used to overwhelm a service

Hijacking (or DDoSing)

_____ are configured to go off at a certain date, time, or when a specific event occurs

Logic bombs

______ is used to flood a switch with bogus MAC addresses

MAC flooding

______ is sending mass emails in the hope of getting a small percentage response

Phishing

_______ is creating a fabricated situation to extract information or access - more time consuming, does not rely on the urgency of phishing attacks

Pretexting

Petya and SamSam are examples of _____

Ransomware

What is signature recognition?

Refers to an IDS that is programmed to identify known attacks through common digital fingerprints

______ perform active and passive scans of network to identify all SQL Server installations that may be hidden

SQLPing 3.0 and SQLRecon

Well known exploit in the GNU Bourne-Again Shell (BASH), a very popular command line shell used by Unix, Linux, Mac OS, and many Internet of Things devices

ShellShock

______ is sending targeted emails after performing reconnaissance on a target

Spear Phishing

_____ is a malware spread via infected USB drive or across a network as a worm. Designed to interfere with Siemens programmable logic microcontroller in order to make centrifuges operate at unsafe speeds while displaying proper speed .

Stuxnet

Unauthorized physical access such as holding the door open is known as _____

Tailgating

What is the GPL?

The General Public License (GPL) is the software licence that governs the Linux kernel and other open source software