C842 - CyberDefense and CounterMeasures WGU Quizlet (EC Council CIH v2) by Brian MacFarlane
Which of the following type of risk is defined by the formula (threats x vulnerability)? A Residual risk B Qualitative risk C Inherent risk D Quantitative risk
C
Which one of the following CSIRT services include alerts and warnings, incident handling, vulnerability handling, and artifact handling activities? A Reactive Services B Proactive Services C Security Quality Management Services D Vulnerability Management Services
A
Which one of the following is a technical threat? A Incorrect data entry B Shoulder surfing C Sniffing and scanning of the network traffic D Password guessing
C
A business framework for IT governance and management toolset enabling managers to bridge the gap between control requirements, technical issues and business risks.
COBIT
Public Cloud - Open for Public Use Private Cloud - Single Organization Community Cloud - Several Orgs from specific community Hybrid - 2 or More clouds, like private and public combined
Cloud Models
Provides Cloud services
Cloud Provider
Cloud Passage Halo - is a cloud server security platform with all the security functions to safely deploy cloud servers, which we all know an incident handler needs to have in his tool box.😂
Cloud Security Tools
A person or organization who makes the services available to the customers.
Cloud Service Provider (CSP)
Loggly- offers cloud monitoring for analyzing system behavior and suspicious activities
Cloud-based Analysis Tools
Which of the following refers to the process of identifying, labeling, recording, and acquiring data from all possible sources? A Collection B Preservation C Examination D Analysis
A
Which of the following terms defines the purpose and scope of the planned incident handling and response capabilities? A IH&R mission B IH&R staffing C IH&R team models D IH&R vision
A
On-Demand Self-service Distributed storage Rapid elasticity automated management Broad Network Access Resource Pooling Measured Service Virtualization Technology
Clouds Provide
doskey /history
Command History
The person who is the first to arrive at the crime scene to assess the crime scene and alert the management and incidence response teams.
First Responder
Forensic Explorer - Recovers and Analyses hidden and system files, deleted files, slack space, unallocated space FTK Forensic Tool Kit Event Log Explorer
Forensic Analyse Tools
A process of imaging or collecting information from various media in accordance with certain standards for analyzing its forensic value.
Forensic Data Acquisition
A statement of allegations and conclusions drawn from the computer forensics investigation.
Forensic Investigation Report
A set of procedures describing the actions an organization must take to preserve and extract forensic evidence during an incident.
Forensic Policy
Which of the following policy controls the access to the facilities and computers? A Information Security Policy B Personnel Security Policy C Physical Security Policy D Evidence Collection Policy
C
An organization's ability to make optimal use of digital evidence in a limited period of time and with minimal investigation costs.
Forensic Readiness
A set of processes required to achieve and maintain forensic readiness.
Forensic Readiness Planning
The expenditures that the organization cannot calculate directly or value accurately.
Intangible Costs
Alerts, warnings, reports, complaints, and issues that represent an ongoing or completed security attack on an organization or its resources.
Signs of An Incident
Alerts of data ex-filtration missing or modified network logs changes in network patterns multiple failed logon attempts behavioral and temporal changes unusual time and location access missing or modified critical data unauthorized download of sensitive data
Signs of an Insider
Which of the following risk mitigation strategy make an organization absorb minor risks while preparing to respond to major ones? A Risk avoidance B Risk limitation C Risk assumption D Risk planning
C
Which of the following sources of evidence helps an incident responder to collect information that guides him or her in building the timeline of attack? A financial services B job services C social networks D online location tracking
C
Which of the following statement defines a risk policy? A Estimating the damage caused due to occurrence of a disaster B Finding the level of the risk C Set of ideas implemented to overcome risks D Defined probability of the occurrence of an incident
C
Which of the following terms is considered as a process of scanning an IP range to detect live hosts? A port scanning B social engineering C ping sweeping D DNS footprinting
C
Which of the following terms refers to a legal document that demonstrates the progression of evidence as it travels from the original evidence location to the forensic laboratory? A forensic policy B promiscuous policy C chain of custody D forensic readiness plan
C
The unsolicited or undesired emails used to distribute malicious links and attachments, cause network congestion, perform phishing and financial frauds, and so on.
Spam
A black box testing method. It is a quality checking and assurance technique used to identify coding errors and security loopholes in web applications.
Web Application Fuzz testing
Software programs that run on web browsers and act as the interface between users and web servers through web pages.
Web Applications
Refers to how much the digital evidence changes the probability of the fact.
Weight of the Digital Evidence
Which of the following terms refers to an art of manipulating people to divulge sensitive information to perform some malicious action? A pod slurping B tailgating C social engineering D privilege escalation
C
A security event that happens due to accidental or intentional activities in a wireless network.
Wireless Network Security Incident
Which of the following is the practice of identifying the infected systems by looking for evidence of the recent infections? A Forensic identification B Active identification C UManual identification D Passive identification
A
Bitdefender ClamWin Kapersky McAfee Total Protection Norton AV Avast ESET AVG Avira
AntiVirus Tools
BCwipe Total Wiperout Active@killdisk Cyberscrub Shredit Secure Erase
Antiforensics using Artifact Wiping Tools
Gophish SPAMfighter
Antiphishing Tools
Which of the following cloud security incidents deal with suspicious IP addresses, MAC addresses, user accounts, systems, applications, services, and other attack vectors? A network related incidents B servers related incidents C virtualization related incidents D storage related incidents
A
Which of the following determines the level of risk and the resulting security requirements for each system? A Risk assessment B Contingency planning C Risk mitigation D Residual risk
A
Which of the following forensic readiness procedures helps an incident responder in gathering useful information about the system behavior through file integrity monitoring? A host monitoring B risk assessment C network monitoring D evidence assessment
A
SolarWinds ArcSight ESM Splunk Enterprise LogRhythm NextGen
Insider Threat Prevention Tools SIEM Tools
Which of the following incident refers to a user performing actions that violate the acceptable computing use policies? A Inappropriate usage incident B Unauthorized access incident C Multiple Component incident D Distributed Denial-of-Service (DDoS) incident
A
Which of the following is a set of specific strategies, guidelines, and processes to recover from an incident resulting due to a problem or emergency? A Contingency plan B Incident recovery testing C Business impact analysis D Temporary plan analysis
A
Which of the following is an indication of unauthorized usage of the standard user account? A Usage of secret account B Alert of network and host IDS C Misplaced hardware parts D Increase in the usage of resource
A
An act of tricking people to reveal sensitive information is involved in which type of Reconnaissance technique? A social engineering B port scanning C DNS footprinting D ping sweeping
A
Carl is trying to violate the acceptable use of a network and computer use policy. Under which category of the incident handling criteria does this scenario fall? A CAT 4 B CAT 2 C CAT 1 D CAT 3
A
Flora is an incident handler at an organization that is implementing forensic readiness procedures to handle evolving cyber threats. As part of this process, she decided to use an advanced authentication protocol to secure the organizational network resources. Which of the following protocols must Flora employ? A Kerberos/IPSec B ICMP/UDP C TCP/IP D FTP/HTTP
A
From the following, identify the Wireshark filter that is used to view the packets moving without a flag set while performing the Null scan attempts. A TCP.flags==0x000 B tcp.flags==0X029 C tcp.dstport==25 D tcp.dstport==7
A
HDBC's online banking website was knocked offline, and its customers were unable to login, and make online transactions. After few hours the bank authorities identified that some attacker had kept their server busy by establishing simultaneous login sessions which restricted their customer from logging into the bank website. Identify the attack that the invader has used to draw the bank server offline. A DoS attack B Session Hijacking C Man-in-the-Middle D Cross-Site-Scripting
A
Which of the following is defined as the existence of a weakness in the design or implementation error that can lead to an unexpected, undesirable event compromising the security of the system? A Vulnerability B Patch C Attack D Accident
A
Hexagon, a leading IT company in the USA, have received a lot of malformed TCP/IP packets, which lead the main server's operating system to crash and thereby restricted the employees from accessing their resources. Which attack did the adversary use in the above situation? A DoS attack B Session Hijacking C Man-in-the-Middle D Cross-Site-Scripting
A
How will you define Qualitative risk analysis? A (Attack Success + Criticality) - (Countermeasures) B (Countermeasures) + (Criticality - Attack Success) C (Attack Success + Countermeasures) - (Criticality) D (Attack Success) + (Criticality - Countermeasures)
A
How will you define quantitative risk analysis? A Probability of loss X value of loss B Value of loss/ Probability of loss C Probability of loss + value of loss D Probability of loss - value of loss
A
Identify the character set that is used for replacing the suspicious characters to bypass the filtering mechanism in a path traversal attack. A ../ B / C > D \..
A
Identify the information security element that determines trustworthiness of data or resources in terms of preventing improper and unauthorized changes. A integrity B availability C authenticity D non-repudiation
A
Identify the security policy that doesn't keep any restrictions on the usage of system resources. A promiscuous policy B prudent policy C paranoid policy D permissive policy
A
Identify the type of DoS/DDoS incident in which the magnitude of attack is measured in bits per second (bps). A volumetric attack B transport layer attack C protocol attack D application layer attack
A
Identify the type of DoS/DDoS incident in which the magnitude of attack is measured in packets per second (pps). A protocol attack B volumetric attack C transport layer attack D application layer attack
A
In memory dump analysis, which of the following tools is used for disassembling and debugging malware? A IDA Pro B FLOSS C Hakiri D ASPack
A
Riya got the following email: Dear user, Due to an unexpected software glitch, we have lost all our customer details and left with only email IDs. In order to continue our services, we request you provide your username and password in the below fields and revert back. If not, your balance amount will be lost and account will be deleted permanently. Username: _____________ Password: ______________ Click reply and send. Note: Please Forward this mail to all the HDBC users you know. Sorry for the inconvenience. Thank you for your cooperation HDBC Bank Admin Copyright © 2017 Service Providers administrator All rights reserved. On seeing the message, Riya got startled and immediately responded the sender with her username and password. Later she came to know that her account has been hacked. Which trick did the attacker use to trap Riya? A Attacker used phishing B Attacker used sniffing technique C Attacker used Pharming technique D Attacker used keylogger technique
A
Rob, an incident manager, was informed about an incident where a suspicious application was found residing in the active memory of multiple systems on a network. Upon investigation, he found that the application was self-replicating and degrading the systems' performance, but it did not affect the files in those systems. What is your inference from the above scenario? A The application is a Worm B The application is a Virus C The application is a Trojan D The application is a Backdoor
A
Smith is a forensic expert in a reputed organization based in New York. As a part of his task, he sniffed the data packets that are trying to communicate with the server of the organization, he recorded and then analyzed the event logs. Which type of the forensic analysis did Smith perform? A Network Forensics B Data Forensics C Internet Forensics D Source-code forensics
A
Smith is managing a web server that runs a PHP-based web service. He was escalated an incident where users were not able to access the service. During the investigation, he discovered that the web server is live and there is no alert from the anti-malware system. However, in the Task Manager, he discovered a large number of php-cgi processes that were consuming up to ninety-nine percent of the CPU. What can Smith infer from the above observation? A It indicates a DoS attack B It indicates an unauthorized access attack C It indicates a Trojan attack D It indicates a php-cgi injection attack
A
The scenario where the detection software either does not record the malicious event or ignores the important details about the event is referred to as ________. A insufficient logging and monitoring B cross-site scripting (XSS) attacks C using components with known vulnerabilities D insecure deserialization
A
What does the Neutral result on the Domain Keys Identified Mail (DKIM) protocol indicate? A The email is signed, but the signature has syntax errors, so it cannot be processed. B The email is signed and the signature passes the verification tests. C The email is signed and the signature does not pass the verification tests. D The email is signed, and some part of signature is not acceptable by administrative management domains (ADMD).
A
What is a residual risk? A Risk remaining after implementation of all the possible controls B Risk caused due to a threat exercising vulnerability C Risk resolved with the implementation of possible controls D Risk within the acceptable level of threshold
A
Which among the following malware pretends to be a program that offers useful applications, but acquires the information of the computer and sends it to a remote attacker? A Spyware B Worm C Virus D Rootkit
A
Which category of unauthorized access is associated with changes in system status? A Physical Intruder B Unauthorized Data Access C Unauthorized Usage of Standard User Account D Unauthorized Data Modification
A
Which of the following Wireshark filters is used to view the packets with FIN, PSH, and URG TCP flags set for detecting Xmas scan attempts? A tcp.flags==0X029 B tcp.dstport==7 C TCP.flags==0x000 D tcp.dstport==25
A
Which of the following activities identifies the effects of uncontrolled and non-specific events in the business process? A Business impact analysis B Support plan analysis C Temporary plan analysis D Threat Analysis
A
Which of the following phishing attacks is also known as "phishing without a lure"? A spimming B spear phishing C pharming D whaling
C
Which one of the following is an appropriate flow of steps in computer forensics process? A Preparation -> Collection -> Examination -> Analysis -> Reporting B Examination -> Analysis -> Preparation -> Collection -> Reporting C Analysis -> Preparation -> Collection -> Reporting -> Examination D Preparation -> Analysis -> Collection -> Examination -> Reporting
A
Which one of the following is an appropriate flow of the incident recovery steps? A System restoration -> System validation -> System operations -> System monitoring B System operations -> System restoration -> System validation -> System monitoring C System validation -> System operations -> System monitoring -> System restoration D System operations -> System validation -> System monitoring -> System restoration
A
Which one of the following is the correct flow of the stages in an incident response? A Preparation -> Identification -> Containment -> Eradication -> Recovery -> Follow-up B Identification -> Preparation -> Containment -> Recovery -> Follow-up -> Eradication C Containment -> Identification -> Preparation -> Recovery -> Follow-up -> Eradication D Eradication -> Containment -> Identification -> Preparation -> Recovery -> Follow-up
A
Which one of the following malware takes advantage of file or information transport features on the system to propagate across systems and networks without any human interactions? A Worms B Virus C Trojan D Spyware
A
Which one of the following personnel in incident response team focuses on the incident and handles it from management and technical point of view? A Incident Manager (IM) B Incident Coordinator (IC) C Incident Analyst (IA) D Technical Expert
A
A person or organization that maintains a business relationship with cloud service providers and uses cloud computing services.
Cloud Consumer
someone that uses cloud computing services
Cloud Consumer
DNS Query Sniffer DNS Stuff DNS Lookup Tool Sonar
DNS Monitoring Tools
Anti DDoS Guardian D-Guard Anti-DDoS Firewall Incapsula
DoS/DDoS Protection Tools
A type of preservation that is an integral part of evidence gathering process.
Evidence Handling
API Monitor API Metrics Runscope AlertSite
API Calls Monitoring Tools
Defined as taking away a person by persuasion, fraud, or open force or violence.
Abduction
Refers to how a web application grants access to create, update, and delete any record/content or functions to some privileged users and restrict other users.
Access Control
Solarwinds server and application Manager Adaxes ADManager ADAudit Anturis
Active Directory Tools
An attack that focuses on stealing information from the victim machine without its user being aware of it.
Advanced Persistent Threat (APT)
A type of attack that is generated by malicious programs such as viruses, Trojan horse, worms, etc.
Malicious Code Attack
Golden Ticket- Manipulate Kerberos Data file Deletion Password protected Steganography Program Packer Virtual Machines Data Hiding in File System Structures Trail obfuscation Overwriting data in the meta-data Encryption
Anti Forensic Techniques
Also known as counter forensics, is a set of techniques that attackers or perpetrators use to avert or sidetrack the forensic investigation process or try to make it much harder.
Anti-Forensics
measured in request per second
Application Layer Attacks
Refers to the process of deleting or destroying the evidence files permanently using various tools and techniques, such as disk-cleaning utilities file-wiping utilities and disk degaussing/destruction techniques.
Artifact Wiping
Refers to the characteristic of a communication, document, or any data that ensures the quality of being genuine or uncorrupted.
Authenticity
The assurance that the systems responsible for delivering, storing, and processing information are accessible when required by authorized users.
Availability
attacks aimed at obstructing the delivery of wireless services to legitimate users, either by crippling those resources or by denying them access to WLAN resources
Availability Attacks
Among the following causes of an insider attack, identify the one where a competitor may approach and lure employees to corrupt the organization's data in return for huge amounts of money. A hacktivism B corporate espionage C financial gain D work-related grievance
B
Identify the email crime in which a flurry of junk mail is sent by accident without human intervention. A mail bombing B mail storming C identity theft D malware distribution
B
In the cloud deployment models, which of the following is the composition of two or more clouds that remain as unique entities but are bound together, offering the benefits of multiple deployment models? A community cloud B hybrid cloud C private cloud D public cloud
B
In which attack does an attacker(s) infect multiple systems called zombies, and them to attack a particular target? A Denial of Service B Distributed denial of service C Identity Spoofing D Man-in-the-Middle
B
John, a security professional working for Xdoc Corporation, is implementing a security strategy that uses multilayered protection throughout an information system to help minimize any adverse impact from attacks on organizational assets. Identify the security strategy John has implemented. A covert channel B defense-in-depth C likelihood analysis D three-way handshake
B
Roy is a software employee working in a Nexawave, a leading IT firm. One day he has downloaded few files from the internet and referred them for his current project. While developing the project document, Roy observed that his word application is crashing uninterruptedly. What could be the reason for the above situation? A Roy's system has infected by boot-record infectors B Roy's system has infected by Macro virus C Roy's system has infected by Micro virus D Roy's system has infected through phishing
B
What is the purpose of proactive services offered by a CERT? A To find the cost of fixing a problem B To develop the infrastructure and security processes C To provide services to the constituency D None of the above
B
Which among the following incidents refer to a person gaining access to system and network resources which he/she was not authorized to have? A Handling Inappropriate Usage Incidents B Unauthorized Access Incident C Handling Multiple Component Incidents D Authorized Access Incident
B
Which of the following Wireshark filters is used to locate duplicate IP address traffic? A arp.duplicate-traffic-detected B arp.duplicate-address-detected C tcp.duplicate-traffic-detected D tcp.duplicate-address-detected
B
Which of the following cloud computing threats refers to the ignorance of the CSP's cloud environment and poses risks in operational responsibilities such as security, encryption, and architectural issues? A unsynchronized system clocks B insufficient due diligence C abuse and nefarious use of cloud services D data breach/loss
B
Which of the following commands helps in finding the manipulated system functions while performing memory dump analysis using Volatility Framework? A threads B apihooks C idt D filescan
B
Which of the following elements of an email header shows a detailed log of a message's history, such as the origin of an email and information on forgeries? A Subject B Received C X-Mailer D Message-Id
B
Which of the following incident response action focuses on limiting the scope and extent of an incident? A Identification B Containment C Eradication D Formulating a response strategy
B
Which of the following information security elements ensures that the information is accessible only to those who are authorized to have access? A authenticity B confidentiality C integrity D availability
B
Which of the following is NOT a static malware analysis technique? A file fingerprinting B windows services monitoring C malware disassembly D local and online malware scanning
B
Which of the following is an advantage of the Platform-as-a-Service (PaaS)? A data privacy B prebuilt business functionality C vendor lock-in D integration with the rest of the system applications
B
Which of the following phases of the computer forensics investigation process involves acquisition, preservation, and analysis of evidentiary data to identify the source of a crime and the culprit behind it? A pre-investigation phase B investigation phase C vulnerability assessment phase D post-investigation phase
B
Which of the following strategy focuses on minimizing the probability of risks and losses by searching vulnerabilities in the system and appropriate controls? A Risk planning B Research and acknowledgment C Risk avoidance D Risk limitation
B
Which of the following techniques do you implement to respond to an insider attack? A Place all the users in quarantine network B Place malicious users in quarantine network C Allow malicious users to access sensitive information D Leave the insider's computer open in the network
B
Which of the following terms refers to an organization's ability to make optimal use of digital evidence in a limited period of time and with minimal investigation costs? A expert testimony B forensic readiness C data acquisition D first response
B
Huge network of compromised systems used by attackers to perform denial-of-service attacks.
Botnet
Which of the following malware detection techniques is employed in intrusion analysis to identify the transfer of any unwanted traffic to malicious or unknown external entities? A covert malware beaconing B SSDT patching C covert C&C communication D kernel filter drivers
C
Wireshark Colasoft Network Analyser OmniPeek Observer PRTG Network Monitor Netflow Analyzer
Browser Activity Monitoring Tools
Amber, a networking student, is trying to write a regex for the detection of logs that contain traces of a directory traversal attack involving characters '../'. Which of the following characters should she use to specify the hex equivalent for backward slash? A \%3E B \%2E C \%5C D \%2F
C
Chris is a forensic expert and was hired by a major financial company to use his services in the incidents and crimes that involve the use of computers. Being a forensic expert, he has to perform many duties day-to-day. Choose the duties that Chris has to perform being a forensic expert from the list below: I. The reason for the incident that was happened II. Determine the nature of the system by analyzing it III. Establishing the secure network measures to avoid the incident from happening IV. Preserver, analyze and submit in the court A I, II, and III B II, III, and IV C I, II, and IV D I, II, III, and IV
C
From the following, identify the character that specifies the hex equivalent of O character in a regular expression. A \%3C B \%42 C \%4F D \%62
C
Identify an insider attack where a person surreptitiously overhears confidential conversations at boardrooms, meeting halls, and corridors. A impersonation B pod slurping C eavesdropping D shoulder surfing
C
Identify the phishing attack in which an attacker imitates the email writing style and other content to make his or her activities seem legitimate. A pharming B puddle phishing C CEO scam D spimming
C
In eradicating malware incidents, what is the name of the method used to block the harmful URLs, IP addresses, and email IDs that have acted as a source for spreading malware? A manual scan B fixing devices C blacklist D updating the malware database
C
In the DoS containment strategy, at what point you will ask your ISP to implement filtering? A After correcting the vulnerability or weakness that is being exploited B After relocating the affected target C After determining the method of attack D After identifying the attackers
C
What does \%27 indicate in the following regular expression? /((\%27)|(\'))union/ix A hex equivalent of hash character B hex equivalent of r character C hex equivalent of single-quote character D hex equivalent of O character
C
Which among the following is a process of rebuilding and restoring the computer systems affected by an incident to the normal operational stage? A Incident reporting B Incident handling C Incident recovery D Incident preparation
C
Which of the following activity involves all the processes, logistics, communications, coordination, and planning to respond and overcome an incident efficiently? A Incident recovery B Incident recovery C Incident Handling D Incident reporting
C
Which of the following characteristics of cloud computing is employed by the cloud systems and works on a "pay-per-use" metering method? A on-demand self-service B rapid elasticity C measured service D resource pooling
C
Which of the following document contains logs, records, documents, and any other information that is found on a system? A Incident preparation report B Incident response report C Host-based evidence report D Network-based evidence report
C
Which of the following is NOT an indicator of cloud security incidents? A creation of new accounts or duplication of the existing ones B inability to log into the account C authorized privilege escalation D increase/decrease of used cloud space
C
Which of the following is a methodology to create and validate a plan for maintaining continuous business operations before, during, and after incidents and disruptive events? A Incident response plan B Incident recovery plan C Business continuity planning D Business impact analysis
C
Which of the following is a process that ensures systems and major applications adhere to formal and established security requirements that are well documented and authorized? A Penetration testing B Computer forensics C Certification and Accreditation (C&A) D Incident handling
C
These controls are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks.
Center for Internet Security (CIS) Controls
A legal document that demonstrates the progression of evidence as it travels from the original evidence location to the forensic laboratory.
Chain of Custody
What are these a criteria of? Admissible Authentic Complete Reliable Believable
Characteristics of Digital Evidence
Tasklist or WMIC PSLogged on Net Sessions LogonSessions
Check Active logon Sessions
The offense of wrongfully removing or wrongfully retaining, detaining, or concealing a child or baby.
Child Abduction
A criminal offense where a child or a minor is depicted of engaging in a sexually explicit conduct such as photographs, film, video, pictures, or computer-generated images or pictures, whether made or produced by electronic, mechanical, or other means.
Child Pornography
A temporary storage area, where the system stores data during copy and paste operations.
Clipboard
Service Hijacking using social engineering service hijacking using network sniffing session hijacking using xss attack session hi jacking using session riding DNS attacks Side Channel Attacks SQL Inj attacks Cryptanalysis and Wrapping Attacks DoS and DDoS attacks Man in the middle
Cloud Attacks
A party that performs an independent examination of cloud service controls with the intent of expressing an opinion thereon.
Cloud Auditor
Independent assessments of cloud service controls
Cloud Auditor
Manages cloud services
Cloud Broker
Connectivity and Transport
Cloud Carrier
An on-demand delivery of IT capabilities in which IT infrastructure and applications are provided to subscribers as a metered service over a network.
Cloud Computing
An on-demand delivery of IT capabilities that provides IT infrastructure and applications to subscribers as metered services over networks.
Cloud Computing
A set of methodological procedures and techniques that help identify, gather, preserve, extract, interpret, document, and present evidence from computing equipment, whereby any evidence discovered is acceptable during a legal and/or administrative proceeding.
Computer Forensics
A group of computers connected to each other for easy sharing of information and resources.
Computer Network
The assurance that the information is accessible only to those who are authorized to have access.
Confidentiality
The essential settings that help the websites and applications with the hardware and software components to produce required output.
Configuration
A crucial step in the incident management process that focuses on preventing additional damage.
Containment
Cloud Passage Quarantine - containerized application that monitors endpoint looking for specific events.
Containment Tools for Cloud Security Incidents
Proxy Switcher Proxy Workbench CyberGhost VPN Tor
Containment Tools: Web Proxy Tools
Isolate the affected systems Disable the affected service Eliminate the attacker's route into the network Disable the user accounts used in account
Containment of Unauthorized Access Incidents
The process of analyzing various security controls implemented by the organization to eradicate or minimize the probability of threat source exploiting a system vulnerability.
Control Analysis
An employee, who pretends to be a nice person and performs malicious activities secretively.
Corporate Mole
Also known as a one-click attack, occurs when a hacker instructs a user's web browser to send a request to the vulnerable website through a malicious web page.
Cross-site request forgery (CSRF) Attack
Refers to a contract between the organization and an insurer to protect related individuals from different threats and risks.
Cyber Insurance
Internet law refers to any laws that deal with protecting the Internet and other online communication technologies.
Cyber Law
Individuals with a wide range of skills, motivated by religious or political beliefs to create fear of large-scale disruption of computer networks.
Cyber Terrorists
A crime where attackers harass an individual, a group, or an organization using emails or IMs (instant messengers).
Cyberstalking
According to the NIST cloud deployment reference architecture, which of the following acts as an intermediary for providing connectivity and transport services between cloud consumers and providers? A cloud auditor B cloud provider C cloud broker D cloud carrier
D
An incident handler working in XYZ organization was assigned a task of detecting insider threats using behavioral analysis. Which of the following steps should be preformed first in the behavioral analysis? A Compare behaviors across multiple users. B Build profiles of each group. C Discover outliers in each group. D Extract behavioral patterns.
D
From the following scenarios, identify the scenario that indicates "insufficient transport layer protection" under security misconfiguration vulnerability: A Input from a client is not validated before being processed by web applications and backend servers. B Manipulation of parameters exchanged between client and server to modify application data. C Giving insight into source code such as logic flaws and default accounts. D Supporting weak algorithms and using expired or invalid certificates, which exposes a user's data to untrusted third parties and can lead to account theft.
D
Identify the metric that is used to measure the magnitude of application layer attacks. A bits per second (bps) B packets per second (pps) C cycles per second (cps) D requests per second (rps)
D
Identify the reasons that make the organizations not report computer crimes to law enforcement. I. Fear of negative publicity II. Lack of awareness of the attack III. Capability to handle incidents internally IV. Potential loss of customers A I, II, II and IV B I and II C I, II, and III D I, II, and IV
D
In live system analysis, which of the following tools is used to monitor the scheduled tasks? A Runscope B AlertSite C Sonar D CronitorCLI
D
In which Risk Assessment Methodology step do you identify the boundaries of the IT system and characterize it, in order to establish the scope of the risk assessment effort.? A Threats Identification B Threat Characterization C System Identification D System Characterization
D
In which of the following stages of incident handling does classification and prioritization of incidents take place? A incident recording and assignment B incident containment C post-incident activities D incident triage
D
Incident reporting and assessment, assigning event identity and severity level, assigning incident task force members are part of which phase of incident response? A Incident Classification B Containment C Data collection D Identification
D
James, an incident responder at Trinity Inc., is investigating a cybercrime. In the process, he collected the evidence data from the victim systems and started analyzing the collected data. Identify the computer forensics investigation phase James is currently in. A risk assessment phase B post-investigation phase C pre-investigation phase D investigation phase
D
Jason is an incident handler at The Rolls Inc. One day his organization encounters a massive cyberattack, and he identifies a virus called "XYZ@ZYX" spreading among the computers in the network (AKA, a level CAT 3 attack). He has started investigating the issue; however, as an incident handler, within how much time from detection of such malicious code attacks should he report to the authorities? A one week B one fortnight C three hours D one hour
D
John is an incident response manager at XYZ Inc. As a part of IH&R policy of his organization, he signed a contract between the organization and a third-party insurer to protect organization individuals from different threats and risks. What is the contract signed by John called? A escrow agreement B disclosure agreement C ROE agreement D cyber insurance
D
What can be the result of Sender Policy Framework (SPF) protocol when the SPF record cannot be verified due to syntax or format errors in the record? A TempError B Neutral C Pass D PermError
D
What does the character 'x' indicate in the following regular expression? /(\')|(\%27)|(\-\-)|(#)|(\%23)/ix A and B or C case-insensitive D Ignore white spaces in the pattern.
D
Which among the following steps do you implement as a part of DoS attack prevention? A Disable Intrusion Detection Systems B Enable Remote Desktop Connection C Install and run packet sniffer on the workstation D Block traffic from unassigned IP address ranges
D
Which of the following activities is performed by an incident handler during the pre-investigation phase of computer forensics? A search and seizure B evidence assessment C data acquisition D risk assessment
D
Which of the following backup strategies provides daily status of the backup situation, such as successful, unsuccessful, not run, out of space, etc.? A security B guarantee C data availability D notifications
D
Which of the following is a preparation step for a cloud service provider (CSP)? A Clearly mention privileges of employees accessing the cloud. B Mention the critical services and application that need most attention to the CSP in order to have a priority list for containment and recovery. C Audit and prepare a list of all the systems and accounts that have access to the cloud. D Install database activity monitoring (DAM), data leak prevention (DLP), log analysis, and SIEM tools to simplify detection of incidents.
D
Which of the following is defined as an organized approach to address and manage the aftermath of a security breach or attack? A Threat B Risk assessment C Vulnerability assessment D Incident response
D
Which of the following malware components is a program that conceals its code and intended purpose via various techniques, making it hard for security mechanisms to detect or remove it? A injector B exploit C packer D obfuscator
D
Which of the following malware distribution techniques involves exploiting flaws in browser software to install malware just by visiting a webpage? A spear-phishing sites B social engineered click-jacking C compromised legitimate websites D drive-by downloads
D
Which of the following phishing attacks exploits instant-messaging platforms to flood spam across the networks? A puddle phishing B CEO scam C pharming D spimming
D
Which of the following phishing attacks targets high-profile executives, like CEOs, CFOs, politicians, and celebrities, who have complete access to confidential and highly valuable information? A spear phishing B spimming C pharming D whaling
D
Which of the following terms reflects an organization's mid-term and long-term goals for incident management capabilities? A IH&R team models B IH&R mission C IH&R staffing D IH&R vision
D
Which one of the following is the intangible cost for an incident? A Lost productivity hours B Investigation and recovery efforts C Loss of business D Loss of reputation
D
Spoofed attack
DRDos Distributed Reflection Denial of Service
FTK Imager R-Drive Image EnCase Forensic Data Acquisition Toolbox RAID Recovery for Windows R-Tools R-Studio F. Response Imager
Data Imaging Tools
A small network placed between the organization's private network and an outside public network.
De-Militarized Zone (DMZ)
A security strategy in which several protection layers are placed throughout an information system.
Defense-in-depth
Cat 0 - Exercise/Network Defense Testing Cat 1 - Unauthorized Access Cat 2 - Denial-of-Service Cat 3 - Malicious Code Cat 4 - Inappropriate Usage Cat 5 - Scans/Probes/Attempts to Access Cat 6 - Investigation
Define Incident Handling Critiea
An attack on a computer or network that reduces, restricts, or prevents accessibility of system resources to its legitimate users.
Denial-of-Service (DoS) Attack
The minimum Security requirements cover 17 security related areas.
FIPS 200
View Windows Security Logs for failed logon attempts
Detecting Brute Force
snort to detect malicious traffic
Detecting Firewall and IDS Evasion
Find URL, uploads, Downloads, emails.
Detecting Insider from Browser Data
Use Nuix Adaptive Security Tool to search for suspicious downloads
Detecting Insider from Data Exfiltration
Malicious Telnet Connections using Wireshark and filter for Telnet look for passwords or admin privileges.
Detecting Insider from Network Analysis
Autopsy Balbuzard Cryptam Malware Document Detection Suite
Detecting Insider from System analysis Tools
icmp.type==8 or icmp.type==0 tcp.dstport==7 to detect TCP ping sweep udp.dstport==7 to detect UDP ping sweep
Detecting Ping Sweep with WireShark
Mole Detection - leaking sensitive information Profiling- establish a pattern of normality
Detecting an Insider
Network Logs Server Logs Database Logs correlate them using SIEM tool
Detecting an Insider Log Analysis
Windows Registry Key MAC Os System info usb Linux usb-devices command
Detecting insider from Removable Media Store
Defined as "any information of probative value that is either stored or transmitted in a digital form" and helps incident responders/investigators find the perpetrator.
Digital Evidence
OllyDbg IDA Pro WinDbg ProcDump KD CDB NTSD
Disassembly Tools for Malware Analysis
A process by which a magnetic field is applied to a digital media device, resulting in a entirely clean device of any previously stored data.
Disk Degaussing
A large-scale, coordinated attack on the availability of services on a victim's system or network resources, launched indirectly through many compromised computers (botnets) on the internet.
Distributed Denial-of-Service (DDoS) Attack
Also known as a "spoofed" attack, involves the use of multiple intermediary and secondary machines that contribute to the actual DDoS attack against the target machine or application.
Distributed Reflection Denial-of-Service (DRDoS) Attack
The process of writing all the actions the investigators have performed during the investigation to obtain the desired results.
Documenting
arin.net internic.net freeality.com
Domain Names Tools
HOIC High Orbit Cannon LOIC Low Orbit Cannon Hulk Metasploit
Dos/DDOS attack tools
msinfo32 Driver Viewer Driver Booster Driver Reviewer Driver Easy Driver Fusion Driver Genius Unknown Device Driver Magician Driver hive Installed Driver List My Driver Driver Agent Plus Driver Pack
Driver Monitor Tools
Port Scanning Firewalking Banner Grabbing IP Address Spoofing Source Routing Tiny Fragments Using IP Address in place of URL
Firewall Evasion Techniques
Refers to ability of a single cloud to handle data, accounts, systems and applications of various organizations.
Elasticity
The process of repeatedly sending an email message to a particular address at a specific victim's site.
Email Bombing
MXtool box E-Mail header analyzer message header analyzer IPtrackeronline.com GsuiteToolBox
Email Header Analsys Tools
Refers to the details of the source used to send the email.
Email Origin
Gpg4win - helps with encryption and digital signatures
Email Security Tools
Email Dosier Email Address Verifier Emailvalidator Email Checker G-Lock Software
Email Validity Tools
The process of translating the data into a secret code so that only the authorized personnel can access it.
Encryption
Involves stealing proprietary information of any organization and passing the same to other organizations with the motive of negatively impacting its reputation or for some financial benefit.
Espionage
manageengine.com
Event Log Analyzer Tool
The process of relating the obtained evidential data to the incident for understanding how the complete incident took place.
Evidence Assessment
Date and time of seizure who seized evidence exhibition number where was it seized from details of the contents submitting agent
Evidence Bag
HashTab HashCalc MD5 Deep MD5Sums Tools4Noobs Cryptomathic Hashmyfiles
File Hashing Tools
TripWire Netwrix Auditor Sigverif Verisys PA file sight CSP File Integrity Checker NNT Change Tracker AFlck Fsum OSSEC IgorWare
File and Folder Monitoring Tools
OS Forensics - Helps discover relevant forensic data faster with high performance Helix3- cyber security solution integrated into the network - reveals internet abuse, data sharing and harassement Autopsy- Digital forensic platform and graphical interface to the sleuth kit EnCase Forensic- Multi purpose forensic platform includes support for many devices Foremost- Console program to recover files based on their headers, footers, and internal data structures
Forensic Tools
Happens when hackers break into government or corporate computer systems as an act of protest.
Hacktivism
Individuals who promote a political agenda by hacking, especially by defacing or disabling websites.
Hacktivists
Hash Calc MD5 Calculator Hash My Files
Hash Tools
A computer system on the internet intended to attract and trap people who attempt unauthorized or illicit utilization of the host system.
Honeypot
Information security Standard developed by International organization for Standardization provides a global framework
ISO 27000
Specifies the requirements for establishing, implementing continually improving information security.
ISO 27001:2013
Guidelines for Info Security Standards
ISO 27002
Presents basic concepts and phases of information security incident management.
ISO 27035
Dependency Walker Snyk Hakiri RetireJS
Identifying File Dependencies Tools
PEiD UPX ExeInfo AsPack
Identifying Packet obfuscation Techniques Tools
PE Explorer PE Scan Resource Hacker PEview
Identifying Portable Executables Tools
Involves estimating the adverse impact caused due to the exploitation of the vulnerability by the threat source.
Impact Analysis
Symantec Data Loss Secure Trust Data Loss McAfee Total Protection Check Point Digital Guardian
Insider Threat Detection Tools DLP
The incidents in which a user violates the acceptable computing use policies.
Inappropriate Usage
Kiwi Log Viewer
Inappropriate Usage Incidents Accessing Malware
1. Preparation 2. Incident Recording 3. Incident Triage 4. Notification 5. Containment 6. Evidence Gathering and Forensic Analysis 7. Eradication 8. Recovery 9. Post-Incident Activities -Incident Documentation -Incident Impact Assessment -Review and Revise Policies -Close the Investigation -Incident Disclosure
Incident Handling Response Steps
A process of taking organized and careful steps when reacting to a security incident or cyberattack.
Incident Handling and Response (IH&R)
A group of technically skilled people capable of carrying various functions, such as threat intelligence, evidence analysis, and investigating the users.
Incident Handling and Response (IH&R) Team
The process of determining all types of losses occurred because of the incident.
Incident Impact Assessment
A set of defined processes to identify, analyze, prioritize, and resolve security incidents to restore normal service operations as quickly as possible and prevent future reoccurrence of the incident.
Incident Management
A process of developing a strategy to address the occurrence of any security breach in the system or network.
Incident Response
The process of superseding the manual IR actions with automatic IR actions using machines and tools.
Incident Response Automation
An approach to respond to the security incidents that occurred in an organization.
Incident Response Orchestration
Observing the behavior of an individual when alone, whereas group profiling is observing a person's behavior in a group.
Individual Profiling
Individuals who try to attack the companies for commercial purposes.
Industrial Spies
Can be defined as a piece of information identified as important to an organization.
Information Asset
Defined as "a state of well-being of information and infrastructure in which the possibility of theft, tampering, and disruption of information and services is kept low or tolerable."
Information Security
A network or host activity that impacts the security of information stored on network devices or systems with respect to confidentiality, integrity, and availability.
Information Security Incident
Defines the basic security requirements and rules to be implemented in order to protect and secure organization's information systems.
Information Security Policy
The use of information and communication technologies (ICT) to take competitive advantages over an opponent.
Information Warfare or InfoWar
Web application vulnerabilities that allow untrusted data to be interpreted and executed as part of a command or query.
Injection Flaws
A web application vulnerability where input from a client is not validated before being processed by web applications and backend servers.
Input Validation Flaws
Any employee (trusted person) having access to critical assets of an organization.
Insider
An attack by someone from within an organization who has authorized access to its network and is aware of the network architecture.
Insider Attack
A threat that originates from people within the organization; it is typically carried out by a privileged user, disgruntled employee, terminated employee, accident-prone employee, third party, or undertrained staff.
Insider Threat
Review Log Files Look for Indicators of unexplained financial gain Look for Deleted Log files User alerting mechanism ? Not sure which one.
Insider Threat Detection
ObserveIT - Monitors user behavior DataRobot - Automated Machine Learning platform to detect Insiders Ekran System - User-based insider threats SS8 Insider Threat Detection CyberArk Netwrix Auditor insightIDR Splunk UBA
Insider Threat Detection Tools
The trustworthiness of data or resources in the prevention of improper and unauthorized changes—the assurance that information is sufficiently accurate for its purpose.
Integrity
A sensor-based technology that directly corrupts technological systems.
Intelligence-based Warfare
Belksoft Regscanner MultiMon Process Explorer Security Task Manager MetaData HstEx XpoLog
Other Forensic Tools
Sumo Logic Splunk cloud Papertrail Logz.io Timber
Other cloud based Analysis Tools
The calculation of probability that a threat source exploits an existing system vulnerability.
Likelihood Analysis
Organizations have limited Control Prone to outages and other issues Security Privacy and compliance issues Contract Lock-ins Depends on network connection
Limitations of Cloud Environment
Top - Displays system summary info W - Displays Current processes for each user PS - info about roots processes pstree - displays in a tree form
Linux Processes running
netstat TCP View Currports Dot.com Monitor Port Expert PRTG Network Monitor Nagies Port Monitor
Live Port Monitoring Tools
The process of acquiring volatile data from a working computer (either locked or in sleep condition) that is already powered on.
Live/Volatile Data Acquisition
An attack where an attacker exploits vulnerable inclusion procedures implemented in the web application.
Local File Injection (LFI)
Virus Total Jotti Metadefender Online Scanner IObit Cloud Threat Expert Valkyrie Dr. Web online Scanner Upload Malware Threat Analyzer Payload Security Anubis Windows Defender Bitdefender
Local and Online Malware Scanning Tools
Loggly SolarWinds and Even Manager Netwrix Log Fusion Alert Logic Event Tracker Process Lasso Pro Splunk
Log Analysis Tools
A coding flaw that causes performance issues in the application or website and results in undesired or unwanted output.
Logic Error
Tripwire- can be used to monitor changes of assets in the cloud environment and generate alerts
MITC Attack Detection Tool
Repeated email messages
Mail Bombing
Flurry of messages
Mail Storming
Blackhat search engine optimization Social Engineering - Click Jacking Spearphising Sites Malvertizing Comprimise Legitimate Websites Drive by Downloads Spam Email
Malware Distribution
Analyze Binary Codes File Fingerprinting
Memory Dump Analysis
Bintext Floss Strings Free Exe DLL Hex Workshop
Memory Dump Analysis String Search Tools
Alternate Data Streams
Memory Residents
Programs that always remain in the internal memory and operating system have no permissions to swap them out to external storage.
Memory Residents
The information that stores details of data.
Metadata
Best practices regarding information security by NIST under FISMA law
NIST 800 Special Pub
Special publication step by step guide for incident response
NIST 800-61
A structured and continuous process that integrates information security and risk management activities into the system development lifecycle (SDLC).
NIST Risk Management Framework
The collection of computers and other hardware connected by communication channels to share resources and information.
Network
ns-3 Riverbed Modeler Qualnet
Network & Internet Simulators for Malware Analysis
-Windows tool to collect info about network -a displays all active connections -b Displays the executable involved -e displays ethernet stats -n active TCP connections expressed numerically -o displays PID -p Displays protocol -r shows routing table
Network Command: netstat
- Troubleshoot netbios name resolutions -C shows the cache -n shows names registered locally -r resolve through broadcast -s current sessions
Network Commands Nbstat
What kinds of tools are these? Capsa Wireshark Nessus PRTG GFI Languard Netfort LAN Guardian Network Analyzer Microsoft Network Monitor Manage Engine OP Manager
Network Monitor Tools
Suricata- real time IDS ntopng- web-based network traffic monitor Wireshark Colasoft OmniPeek Observer
Network Tools for Validation of Suspicious Events
A way to guarantee that the sender of a message cannot later deny having sent the message, and that the recipient cannot deny having received the message
Non-repudiation
The permanent data stored on secondary storage devices, such as hard disks and memory cards.
Nonvolatile Evidence
TCP.flags==0X000
Null Scan Attempts
Information warfare that involves attacks against ICT assets of an opponent.
Offensive Information Warfare
The process of combining human, processes, and technologies to gain better results.
Orchestration
Professional hackers having an aim of attacking a system for profits.
Organized Hackers
Qualys Cloud Platform Azure Security Centre Nessus Enterprise for AWS Symantec Cloud Workload Alert Logic
Other Cloud Security Tools
Payment card standards.
PCI DSS
A program used to compress or encrypt the executable programs.
Packer
A process of monitoring and capturing all data packets passing through a given network by using a software application or a hardware device.
Packet Sniffing
Refers to tracing back attack traffic.
Packet Traceback
A collection of words, letters, numbers, and/or special characters used for security processes such as user authentication or to grant access to a resource.
Password
A proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.
Payment Card Industry Data Security Standard (PCI DSS)
Also known as phlashing also bricking a system
Permanent DOS
Also known as phlashing, purely targets hardware causing irreversible damage to the hardware.
Permanent DoS (PDoS) Attacks
Also known as domain spoofing, is an advanced form of phishing in which the attacker redirects the connection between the IP address and its target server.
Pharming
Redirects to another website- also called Phishin without a lure
Pharming
A practice of sending an illegitimate e-mail falsely claiming to be from a legitimate site in an attempt to acquire a user's personal or account information.
Phishing
Netcraft Phish Tank
Phishing Tools
A set of guidelines used to achieve goals and objectives of incident response initiative set by the IH&R plan.
Policy
Also known as the recommendation phase, which is performed after the risk assessment.
Post Assessment Phase
Which phase is this? setup lab, build workstation, develope toolkit
Pre-Investigate Phase
The preparatory phase, which includes defining policies and standards, defining the scope of assessment, designing appropriate information protection procedure, and identifying and prioritizing the critical assets to create a good baseline for the vulnerability management.
Pre-assessment Phase
Train employees to detect social engineering attempts conduct security awareness training Brief employees on how to identify suspicious espionage events Prohibit employees from disclosing confidential info Strict password management Principle of least privilege
Preparing to Handle the Insider Threat
Also known as internal or corporate cloud, is a cloud infrastructure that a single organization operates solely.
Private Cloud
Persons with unlimited permissions to the systems, such as user end points, organization data, cloud services, customer data, etc.
Privileged Users
process explorer m/monit eset sysinspector system explorer security task manager
Process Monitoring Tools
PromqryUI Nmap --script=sniffer-detect (ipaddress)
Promiscuous Detection Tools
SYN Flood ACK floor TCP connection flood attack TCP state exhaustion attack Fragmentation attack RST Attack
Protocol Attacks
Small Organizations
Puddle Phising
A type of a malware, which restricts access to the computer system's files and folders and demands an online ransom payment to the malware creator(s) in order to remove the restrictions.
Ransomware
In the gathering of information, attackers make an attempt to gather the target network's crucial information and perform the attacks.
Reconnaissance
A significant step for restoring whatever services or materials might have been affected during an incident.
Recovery
Hackers who hack to learn and explore, by exploiting or manipulating technology.
Recreational Hackers
JV16 Power Tools 2017 - Cleans registry Regshot Reg Organizer Registry Viewer Reg Scanner Registrar
Registry Monitoring Tools
The connection between digital evidence and the fact that is to be proved.
Relevance
The steps that are taken to mitigate the found vulnerabilities such as evaluating vulnerabilities, locating risks, and designing responses for the vulnerabilities, etc.
Remediation
A technique that targets underlying web application vulnerabilities and launch attacks from a remote server.
Remote File Injection (RFI)
A situation involving exposure to danger (or) the possibility that something unpleasant or unwelcome will happen.
Risk
Identification of risks, estimation of impact and determining sources to recommend proper mitigation measures.
Risk Assessment
PILAR A1 Tracker Risk Management Studio
Risk Assessment Management Tools
Preventing the risk by curbing the cause of the risk and/or consequence.
Risk Avoidance
A crucial task in a risk assessment effort. It is a complex process and depends upon various tangible and intangible factors.
Risk Determination
An assessment of the resulted impact on the network.
Risk Level
A set of policies and procedures to identify, assess, prioritize, minimize, and control risks.
Risk Management
A process that is designed to identify, eliminate, or mitigate the risks that can cause damage to the organizational network and systems.
Risk Management Plan
Scales the risk occurrence/likelihood probability along with its consequences or impact.
Risk Matrix
A strategical approach to prepare for handling risks and reduce its impact on the organizations.
Risk Mitigation
What are these? 1. Identify Crime Scene 2. Protect Crime Scene 3. Protect Fragile Evidence 4. Collect Info about incidents 5. Document All Findings 6. Package and transport the electronic evidence
Roles for First Responders
netstat -ab shows all executables List DLL$ - determines all DLL's loaded PsList - Basic info on running processes
Running Processes
schtask - Windows Task Monitor MoTaSh ADAudit CronitorCLI Solarwinds Windows Task Scheduler
Schedule Task Monitoring Tools
Snag It Jing Camtasia Ezvid
Screen Capture Tools
Unskilled hackers who compromise systems by running scripts, tools, and software developed by real hackers.
Script Kiddies
A data processing process that is used to analyze the user activities within a certain time period.
Sessionization
Stealing credit/debit card numbers by using special storage devices called skimmers or wedges when processing the card.
Skimming
The art of convincing people to reveal confidential information.
Social Engineering
spam for instant messaging
Spimming
Autoruns Win Patrol Quick Startup StartEd Chameleon BootRacer Wintools.net EF Startup PC Startup CC cleaner Startup Delayer
Start Up Tools
Individuals employed by the government to penetrate and gain top-secret information and to damage information systems of other governments.
State Sponsored Hackers
Nonvolatile data, which does not change its state after the system shut down.
Static Data
The process of extracting and gathering the unaltered data from storage media.
Static Data Acquisition
A technique of hiding a secret message within an ordinary message and extracting it at the destination to maintain confidentiality of data.
Steganography
Prepare - performing audits of resources and deterimine the purpose of security defining rules policies and procedures.
Step 1 IH&R
Incident Recording - Initial recording of the incident takes place. Identification of an incident. Reports suspicious behavior or submit ticket.
Step 2 IH&R
Triage - Incident will be analyzed and categorized to be prioritized.
Step 3 IH&R
Notification - The incident will be made known to the appropriate stake holders.
Step 4 IH&R
Containment - Simultaneous with notification, containment prevent the spread of the incident.
Step 5 IH&R
Evidence Gathering and Forensics - this is the phase where all of the evidence is gathered.
Step 6 IH&R
Eradication - The team will begin to remove the incident and patch the systems to prevent further spread.
Step 7 IH&R
Recovery - Restoring the affected systems will begin in this phase.
Step 8 IH&R
Post Incident Activities - 1. Documentation 2. Impact Assessment 3. Review and Revise Policies 4. Close the investigation 5. Incident Disclosure
Step 9 IH&R
Vulnerability analysis Artifact analysis Security Awareness training Intrusion Detection Public or technology monitoring
Steps of Incident Handling
A programming language meant for database management systems.
Structured Query Language (SQL)
Individuals who aim to bring down the critical infrastructure for a "cause" and are not worried about facing jail terms or any other kind of punishment.
Suicide Hackers
Mirekusoft Install Monitor Sys Analyzer Advanced Uninstaller Pro Revo Uninstaller Commando Program Manager
System Installation Monitoring Tools
net statistics server PSUptime (Windows) net statistics (Windows) Uptime and W (Linux)
System Uptime
The organization's direct expenditure due to incident.
Tangible Cost
insertion Attack Evasion Denial-of-Service Attack Obfuscating False Positive Generation Session Splicing etc.
Techniques to evade IDS
The organizational resources which are attacked by the threat actors in order to gain a complete control or steal the information for launching further attacks on the organization.
Threat Target and Assets
The collection and analysis of information about threats and adversaries and drawing patterns that provide an ability to make knowledgeable decisions for the preparedness, prevention, and response actions against various cyberattacks.
Threat Intelligence
An undesired event that attempts to access, exfiltrate, manipulate or damage the integrity, confidentiality, security, and availability of an organizational resource.
Threat
A person or entity that is responsible for the incidents or has the potential to impact security of an organization's network.
Threat Actor
The process of examining, filtering, transforming, and modeling of acquired threat data for extracting threat intelligence.
Threat Assessment
The process of identifying and attributing actors behind an attack, their goals and motives along with the sponsors
Threat Attribution
The process of assessing the threats and their impacts in various conditions.
Threat Contextualization
Helps organizations to monitor, detect, and escalate various evolving threats from the organizational networks.
Threat Correlation
Hyper-V Parallel Desktop Boot Camp
Tools - Virtual Machines for Malware Analysis
KFSensor SSHHiPot Artillery
Tools for Detecting DoS/DDoS
arp.duplicate-address-detected or XArp Others ArpON ARP AntiSpoofer
Tools for Detecting Sniffing and Spoofing ARP Poisoning
AIDA64 Extreme
Tools for Inappropriate Usage Incidents
Genie Backup Manager Macrium R-Drive O & O Disk Image
Tools for Malware Analysis OS Backup and Imaging
Extract boot files WinHex TSK Autospy
Tools for Static Data
systeminfo.exe (Windows) PSInfo (Windows) Cat (Linux) Uname (Linux)
Tools for Volatile System Data
Cyber Triag Process Explorer PMDump ProcDump Process Dumper PsList Task LIST
Tools for volatile data
PoliteMail.com Yesware.com ContactMonkey.com Zendio.com ReadNotify.com didtheyreadit.com whatismyipaddress.com
Tracing Email back to sender tools
Software or hardware that defines a set of rules for HTTP conversation to filter out malicious data.
Web Application Firewall (WAF)
The process of obtaining illegal access to the systems or network resources to steal or damage information.
Unauthorized Access
The platform in a cloud that allows the clients to install virtual machines, systems, and servers required to run applications.
Virtualization
The temporary information on a digital device that requires a constant power supply and is deleted if the power supply is interrupted.
Volatile Evidence
Data stored in the registries, cache, and RAM of digital devices.
Volatile Information
Rekall Memdump MemGator
Volatile Memory Tools
measured in bits per second
Volumetric DDOS
The existence of weakness, design, or an implementation error that, when exploited, leads to an unexpected and undesirable event compromising the security of the system.
Vulnerability
Qualys Nessus OpenVAS AlienVault OSSIM
Vulnerability Analysis Tools
An examination of the ability of a system or application, including current security procedures and controls, to withstand assault
Vulnerability Assessment
Identifying vulnerabilities in the organization infrastructure including the operating system, web applications, web server, etc.
Vulnerability Assessment Phase
An important process that helps in finding and remediating security weaknesses before they are exploited.
Vulnerability Management Life Cycle
The process of discovering vulnerabilities and design flaws that will open a network, operating system, and its applications to attack or misuse.
Vulnerability Research
An unbounded data communication system that uses radio frequency technology to communicate with devices and obtain data.
Wireless Network
anti-abuse API AutoShun Cisco Umbrella Alexa Top 1 Million sites
WhiteListing/Blacklisting Tools
SrvMan Advanced Windows Service Manager Netwrix Service Monitoring Anvir Task Manager Service + Easy Windows Service Manager Nagis XI Windows Service Monitor PC Service optimizer Smart Utility
Windows Service Monitoring Tools
tcp.flags==0X029
Xmas Scan Attempts