3200 Chapter 11 - Security Assessments

Ace your homework & exams now with Quizwiz!

Rules of engagement

A document that defines exactly how the penetration test will be carried out.

Common Vulnerabilities and Exposures (CVE)

A list of standardized identifiers for known software vulnerabilities and exposures.

Threat feed

A service that tracks cyber threats across the world and provides real-time updates with IP addresses, URLs, and other relevant information regarding the threats.

Security Orchestration, Automation and Response

A solution stack of compatible software programs that collect data about security threats from multiple sources and respond to low-level security events without human assistance.

Common Vulnerability Scoring System

A system that ranks vulnerabilities based on severity.

Scope of work

A very detailed document that defines exactly what is going to be included in the penetration test. This document is also referred to as the statement of work.

Advisories and bulletins

Advisories and bulletins provide detailed updates on cyber threats. They are usually updated weekly.

Reconnaissance

Also known as footprinting. This is the process of gathering information about a target before beginning any penetration test or security audit.

Heuristic-based detection

Also referred to as behavior, anomaly, or statistical-based detection. This detection method first defines a baseline of normal network traffic and then monitors traffic looking for anything that falls outside that baseline.

Signature-based detection

Also referred to as pattern matching, dictionary recognition, or misuse-detection (MD-IDS). This detection method looks for patterns in network traffic and compares them to known attack patterns called signatures.

You are concerned about protecting your network from network-based attacks on the internet. Specifically, you are concerned about attacks that have not yet been identified or that do not have prescribed protections. Which type of device should you use?

Anomaly-based IDS

What is the most common form of host-based IDS that employs signature or pattern-matching detection methods?

Antivirus software

Open-Source Intelligence (OSINT)

Any data that is collected from publicly available sources such as social media, search engines, company websites, media sources, or public government sources.

Which of the following activities are typically associated with a penetration test?

Attempt social engineering.

You have been hired as part of the team that manages an organization's network defense. Which security team are you working on?

Blue

____ team members are the defense of the system. This team is responsible for stopping the red team's advances.

Blue

As part of a special program, you have discovered a vulnerability in an organization's website and reported it to the organization. Because of the severity, you are paid a good amount of money. Which type of penetration test are you performing?

Bug bounty

What does an IDS that uses signature recognition use to identify attacks?

Comparisons to known attack patterns

____ and ____ are two common command line programs that can be used to download or upload files. An example of using these tools is to download an entire website for offline analysis.Because these tools actively engage with the target, they are considered active reconnaissance tools.

Curl, wget

Intrusion detection system

Device or software that monitors, logs, and detects security breaches, but takes no action to stop or prevent the attack.

Intrusion prevention system

Device that monitors, logs, detects, and can also react to stop or prevent security breaches.

____ is a program that performs DNS enumeration and can find the DNS servers and entries for an organization. This information can help find other information such as usernames, computer names, IP addresses, and more.

Dnsenum

As a security precaution, you have implemented IPsec that is used between any two devices on your network. IPsec provides encryption for traffic between devices. You would like to implement a solution that can scan the contents of the encrypted traffic to prevent any malicious attacks. Which solution should you implement?

Host-based IDS

____ is a security tool that can check connectivity and also analyze the target to gather information.

Hping

Engine

IDS component that analyzes sensor data and events; generates alerts; and logs all activity

Sensor

IDS component that passes data from the source to the analyzer.

____ are special tools that allow a network administrator to scan the entire network to find all connected devices and their IP addresses.

IP scanners

You are concerned about attacks directed at your network firewall. You want to be able to identify and be notified of any attacks. In addition, you want the system to take immediate action to stop or prevent the attack, if possible. Which tool should you use?

IPS

Your organization uses a web server to host an e-commerce site. Because this web server handles financial transactions, you are concerned that it could become a prime target for exploits. You want to implement a network security control that analyzes the contents of each packet going to or from the web server. The security control must be able to identify malicious payloads and block them. What should you do?

Implement an application-aware IPS in front of the web server

Which of the following describes a false positive when using an IPS device?

Legitimate traffic being flagged as malicious

Which step in the penetration testing life cycle is accomplished using rootkits or Trojan horse programs?

Maintain access

You want to use a tool to scan a system for vulnerabilities, including open ports, running services, and missing patches. Which tool should you use?

Nessus

____ is a proprietary vulnerability scanner that is developed by Tenable. It can be used to scan the target for any known vulnerabilities, which can be exploited to gain access to the target.

Nessus

You want to identify all devices on a network along with a list of open ports on those devices. You want the results displayed in a graphical diagram. Which tool should you use?

Network mapper

Gathering as much personally identifiable information (PII) on a target as possible is a goal of which reconnaissance method?

OSINT

The ____ framework is a collection of resources and tools that are separated by common categories. The OSINT Framework makes it easy to gather all sorts of information, making the initial reconnaissance process much more efficient.

OSINT

Which type of reconnaissance is dumpster diving?

Passive

Black box test

Penetration test in which the ethical hacker has no information regarding the target or network. This type of test best simulates an outside attack and ignores the insider threats.

White box test

Penetration test in which the ethical hacker is given full knowledge of the target or network. This test allows for a comprehensive and thorough test, but is not very realistic.

Gray box test

Penetration test in which the ethical hacker is given partial information of the target or network, such as IP configurations, email lists, etc. This test simulates the insider threat.

Which of the following uses hacking techniques to proactively discover internal vulnerabilities?

Penetration testing

An active IDS system often performs which of the following actions? (Select two.)

Performs reverse lookups to identify an intruder, Updates filters to block suspect traffic.

____ is a command line tool that is used to perform a connection test between two network devices.

Ping

Which phase or step of a security assessment is a passive activity?

Reconnaissance

False negative

Scan results that indicate no vulnerability when a vulnerability exists.

False positive

Scan results that indicated a vulnerability, but there is none.

Which of the following is a very detailed document that defines exactly what is going to be included in the penetration test?

Scope of work

Which of the following tools can be used to see if a target has any online IoT devices without proper security?

Shodan

____ is a popular search engines for internet-connected devices. Users are able to search for specific types of devices and locations. This information can be used to see if a target has any online devices without proper security.

Shodan

Which IDS method searches for intrusion or attack attempts by recognizing patterns or identifying entities listed in a database?

Signature-based IDS

____ is a automated scanner that can be used to enumerate and scan for vulnerabilities. It combines the functions of many tools and can be used to find information such as DNS information, open ports, running services, and more

Sn1per

IP scanners

Special tools that allow a network administrator to scan the entire network to find all connected devices and their IP addresses.

Security information and event management

Special tools that gather network information and aggregate it into a central place. SIEM systems can actively read the network information and determine if there is a threat.

What is the primary purpose of penetration testing?

Test the effectiveness of your security perimeter.

Packet sniffing

The act of capturing data packets transmitted across the network and analyzing them for important information.t.

Eavesdropping

The act of covertly listening in on a communication between other people.

War driving

The act of driving around with a wireless device looking for open vulnerable wireless networks.

War flying

The act of using drones or unmanned aerial vehicles to find open wireless networks.

Threat hunting

The human-based, methodical search and monitoring of the network, systems, and software in order to detect any malicious or suspicious activity that has evaded the automated tools.

Vulnerability scan

The process of capturing and analyzing packets to identify any security weaknesses in a network, computer system, local applications, and even web applications.

Passive reconnaissance

The process of gathering information by interacting with the target in some manner.

Intelligence fusion

The sharing of information between multiple government agencies and private security firms.

Which of the following describes the worst possible action by an IDS?

The system identified harmful traffic as harmless and allowed it to pass without generating any alerts.

Bug bounty

These unique tests are setup by organizations such as Google, Facebook, and others. Ethical hackers can receive compensation by reporting bugs and vulnerabilities they discover.

The process of walking around an office building with an 802.11 signal detector is known as:

War driving

You have been promoted to team lead of one of the security operations teams. Which security team are you now a part of?

White

You have been hired to perform a penetration test for an organization. You are given full knowledge of the network before the test begins. Which type of penetration test are you performing?

White box

An ____, also called an IPS, performs the functions of an IDS but can also react when security breaches occur.

active IDS

The ____ command is used in both Windows and Linux. ARP stands for Address Resolution Protocol and is used to match IP addresses to MAC addresses

arp

The ipconfig command (Windows) and the ifconfig command (Linux) are used to display the IP ____ on the local computer.

configuration

In a ____ scan, the scanner uses an administrator or other account's credentials to perform the scan. This method shows a deeper look at the network and is able to identify more vulnerabilities than a non-credentialed scan

credentialed

Which of the following tools can be used to view and modify DNS server information in Linux?

dig

The third phase takes all of the information gathered in the reconnaissance and scanning phases to ____ any discovered vulnerabilities in order to gain access. After gaining access, the pentester can perform lateral moves, pivoting to other machines on the network. The pentester will begin trying to escalate privileges with the goal of gaining administrator access.

exploit

A ____ traffic assessment means that harmful traffic was allowed to pass without any alerts being generated or any actions being taken to prevent or stop it. This is the worst possible scenario.

false negative

A ____ traffic assessment means that the system identified harmless traffic as offensive and generated an alarm or stopped the traffic.

false positive

A ____ scan finds a potential vulnerability and then actively attempts to exploit it. This leads to more accurate results but cannot be done on a live system.

intrusive

Once the pentester has gained access, ____ that access becomes the next priority. This can be done by installing backdoors, rootkits, or Trojans.

maintaining

A ____ traffic assessment means that the system deemed the traffic harmless and let it pass.

negative

The ____ security tool can read and write data across both TCP and UDP network connections. It opens a TCP connection between two devices and can be used to send packets, scan for open ports, and listen in on connections to specific ports.

netcat

Use the ____ command to display a variety of network statistics in both Windows and Linux

netstat

The ____ utility is a network security scanner.

nmap

You need to enumerate the devices on your network and display the network's configuration details. Which of the following utilities should you use?

nmap

With a ____ scan, the security administrator does not authenticate to the system prior to running the scan. This scan shows open ports, protocols, and services that are exposed on a host system. This shows vulnerabilities that an outside attacker might be able to take advantage of.

non-credentialed

A ____ scan is the more common type of scan performed. This method scans the network and lists all potential vulnerabilities but is unable to validate if the system is vulnerable. This type of scan is able to performed on live systems and requires the network defender to take additional actions.

non-intrusive

The ____ and dig commands are used to view and modify DNS settings. These tools can be used to look up DNS server information and also give IP addresses and domain names for a network server.

nslookup

The ____ Windows command line tool combines the tracert and ping tools.

pathping

You need to check network connectivity from your computer to a remote computer. Which of the following tools would be the BEST option to use?

ping

A ____ traffic assessment means that the system detected an attack and the appropriate alarms and notifications were generated or the correct actions were performed to prevent or stop the attack.

positive

Members of the ____ team work on both offense and defense. This team is a combination of the red and blue teams.

purple

The first phase in the pentesting process is ____, also known as footprinting. In this phase, the pentester begins gathering information on the target. This can include gathering publicly available information, using social engineering techniques, or even dumpster diving.

reconnaissance

The ____ team members are the ethical hackers. This team is responsible for performing the penetration tests.

red

The ____ command is used in both Windows and Linux to show the routing table and to make manual changes to the table.

route

____ is used for port scanning. Instead of scanning ports from the hacker machine, it uses exploitation websites to perform port scans. This means the attacker is able to maintain anonymity while scanning the target.

scanless

Running ____ on the target is the second phase. During this phase, the ethical hacker is actively engaged with the target. Enumeration is part of the scanning phase. Enumeration uses scanning techniques to extract information such as: Usernames Computer names Network resources Share names Running services

scans

The final phase is generating the ____ and supporting documentation. After any penetration test, a detailed report must be compiled. Documentation provides extremely important protection for both the penetration tester and the organization.

test results

Which passive reconnaissance tool is used to gather information from a variety of public sources?

theHarvester

____ is a passive reconnaissance tool that is used to gather information from a variety of public sources. The tool gathers emails, names, subdomains, IPs, and URLs using multiple public data sources. These sources include search engines, social media sites, and Shodan.

theHarvester

The _____ tool shows the path a packet takes to reach its destination. Every device the packet passes through is known as a hop.

tracert

The ____ team members are the referees of cybersecurity. This team is responsible for managing the engagement between the red and blue teams. This group typically consists of the managers or team leads.

white


Related study sets

HHE 270 PERSONAL HEALTH CONNECT CHAPTER 5

View Set

Supply Chain Management Chapter 5

View Set

The Book Thief, Part Three Study Guide/Quiz answers

View Set

Ch 4 - The Constitution (Chapter Test)

View Set

Abeka US History Appendix quiz LL

View Set

Diversity in the Workplace (PA) - KnowledgeQ

View Set

Business Law - Quiz 2 (Ch 4 & 5)

View Set