THE P.T. 3: CHRONICLE: ( ex.12 )

89問 • 6ヶ月前

問題一覧

Which of the following security policies could help detect fraudulent cases that occur even when other security controls are already in place?

- Mandatory vacations

This is the concept of having more than one person required to complete a particular task to prevent fraud and error.

- Separation of duties

This, instead, requires both people to act together. For example, a nuclear missile system uses dual control and requires two people to each turn a different key simultaneously to allow for a missile launch to occur.

- Dual control

This is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, legitimate activities.

- Least privilege

Which law requires government agencies and other organizations that operate systems on behalf of government agencies to comply with security standards?

- FISMA

This is a United States federal law that imposes certain requirements on operators of websites or online services directed to children under 13 years of age and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.

- COPPA

This is a United States federal law that set new or expanded requirements for all U.S. public company boards, management, and public accounting firms.

- SOX

The Health Insurance Portability and Accountability Act (HIPPA) is a United States federal law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals, and other health care providers.

- HIPPA

An organization is conducting a cybersecurity training exercise. What team is Jason assigned to if he has been asked to monitor and manage the defenders' and attackers' technical environment during the exercise?

- White team

This team is made up of both the blue and red teams to work together to maximize their cyber capabilities through continuous feedback and knowledge transfer between attackers and defenders.

- Purple team

This team is a group of people responsible for defending an enterprise’s use of information systems by maintaining its security posture against a group of mock attackers.

- Blue team

This team is a group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture.

- Red team

Your incident response team has identified a persistent threat actor who has used a spear-phishing attack to compromise a system in your network. The actor used this system to move laterally within the network, stealing sensitive data. The team wants to understand the relationship between the adversary, the victim system, the phishing infrastructure used by the attacker, and the lateral movement capability. Which framework would best help them in this analysis?

- Diamond Model of Intrusion Analysis

This describes the stages of a cyber attack, but it does not specifically analyze the relationships between the adversary, victim, infrastructure, and capability.

- Cyber Kill Chain

This Guide provides a methodology for testing web application security, not for analyzing a cyber attack's relationships.

- OWASP Testing Guide

This details tactics, techniques, and procedures used by attackers, but it does not specifically address the relationship between adversary, victim, infrastructure, and capability.

- MITRE ATT&CK

What command should a forensic analyst use to make a forensic disk image of a hard drive?

- dd

This command is a standard command used in the UNIX/Linux operating system used to create, change, and modify timestamps of a file.

- dd

This command is used to delete one or more files or directories.

- rm

This command is a command-line utility for downloading files from the Internet.

- wget

Which term defines the collection of all points from which an adversary could interact with a system and cause it to function in a way other than how it was designed?

- Attack surface

This defines the behavior of the adversary.

- Threat model

This represents the specific points an adversary has chosen for a particular attack.

- Attack vector

This set is the list of items an adversary can use to conduct their attack.

- Adversary capability set

Which of the following tools would you use to audit a multi-cloud environment?

- ScoutSuite

This is a cloud auditing tool, but it can only be used on A.W.S

- Prowler

This is a general-purpose vulnerability scanner but does not deal with cloud-specific issues.

- OpenVAS

This is an exploitation framework that is used to test the security configurations of an A.W.S. account

- Pacu

Which analysis framework provides a graphical depiction of the attacker's approach relative to a kill chain?

- Diamond Model of Intrusion Analysis

Open I.O.C. contains a depth of research on A.P.Ts but does not integrate the detections and mitigation strategy.

- Open I.O.C.

This framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors.

- MITRE ATT&CK framework

The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but do not deal with the specifics of how to mitigate.

- Lockheed Martin cyber kill chain

Which of the following secure coding best practices ensures a character like < is translated into the < string when writing to an H.T.M.L page?

- Output encoding

This can introduce various security problems where detailed internal error messages such as stack traces, database dumps, and error codes are displayed to an attacker.

- Error handling

This is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering the malfunction of various downstream components

- Input validation

This implementation defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session I.D.

- Session management

From which entity does a User Agent request a resource during a S.A.M.L. transaction?

- Service provider ( S.P. )

This "relies" on the Identity Provider to authenticate users and provide trustworthy identity information, thereby offloading the burden of user authentication and credential management.

- Relying party ( R.P. )

The I.d.P requests the principal's credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions

- Identity provider (IdP)

S.A.M.L. is a solution for providing This and federated identity management.

- Single sign-on (SSO)

When using the netstat command during an analysis, which of the following connection status messages indicates whether an active connection between two systems exists?

- ESTABLISHED

This message indicates that the remote end has shut down the connection and is waiting for the socket to close

- CLOSE_WAIT

This message indicates that the remote end has shut down the connection, and the socket is closed and waiting for an acknowledgment.

- LAST_ACK

This message indicates that the socket is waiting for an incoming connection from the second system.

- LISTENING

Alexa is an analyst for a large bank that has offices in multiple states. She wants to create an alert to detect if an employee from one bank office logs into a workstation located at an office in another state. What type of detection and analysis is Alexa configuring?

- Behavior

This analysis determines whether several observed data points constitute an indicator and whether related indicators make up an incident depend on a good understanding of the relationship between the observed indicators.

- Heuristic

This analysis is the process of defining an expected outcome or pattern to events and then identifying any events that do not follow these patterns. This is useful in tools and environments that enable you to set rules.

- Anomaly

- Trend

Which of the following provides the detailed, tactical information that C.SIRT members need when responding to an incident?

- Procedures

This is a statement of intent and is implemented as a procedure or protocol.

- Policies

This is a statement by which to determine a course of action. This aims to streamline particular processes according to a set routine or sound practice.

- Guidelines

This is a basic structure underlying a system, concept, or text.

- Framework

Which of the following methods should a cybersecurity analyst use to locate any instances on the network where passwords are being sent in cleartext?

- Full packet capture

This analysis will determine where communications occurred, by what protocol, to which devices, and how much content was sent.

- Net flow capture

This design documentation may also reveal the designer's intentions for authentication when they created the application, but this only provides an ‘as designed’ approach for a given software and does not provide whether the ‘as-built’ configuration was implemented securely.

- Software design documentation review

This event log being monitored might detect that an authentication event has occurred. Still, it will not necessarily reveal if the password was sent in cleartext, as a hash value, or in the ciphertext.

- SIEM event log monitoring

Within evidence collection, What is the following order of evidence you should capture? I.E. ( most likely to change ) first and the least volatile (least likely to change) last.

- CPU registers and cache memory (L1/L2/L3/GPU), - The contents of system memory (RAM), including a routing table, ARP cache, process tables, kernel statistics, and temporary file systems/swap space/virtual memory., - Collection of data storage devices like hard drives, SSDs, and flash memory devices., - Backup tapes, external media devices (hard drives, DVDs, etc.), and even configuration data or network diagrams

Among the following vulnerabilities, which one was reported as a "Top 10" due to its common occurrence and the potential severity of its impact?

- Cross-Site Scripting (XSS)

This attack was an impactful hardware vulnerability, but it's not typically categorized as a top 10 vulnerability.

- Spectre Attack

This Attack was significant and impacted SSL 3.0 protocol, it is not categorized as a top 10 widespread vulnerability.

- Poodle Attack

This attack was a severe, targeted supply chain attack, not a common vulnerability like X.S.S.

- SolarWinds SUNBURST Attack

Which one of the following vulnerabilities is commonly referred to as a "Top 10" due to its frequent occurrence and the severe repercussions associated with it?

- Injection Attacks

This was a significant vulnerability affecting Apache Tomcat servers.

- Ghostcat

CVE-2020-5902 was a severe vulnerability affecting this Vulnerability.

- F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability

This Attack was an important finding in the realm of SHA-1 collision but is not typically classified as a top 10 vulnerability.

- Shattered Attack

An incident responder identifies the perpetrator of a security incident, the victim (a database server), the server used by the attacker, and the SQL injection technique used. Which framework is being employed for this intrusion analysis?

- Diamond Model of Intrusion Analysis

This attack framework cover ms a variety of tactics, techniques, and procedures used by attackers.

- MITRE ATT&CK

This Methodology Manual provides a structured approach to security testing.

- OSS TMM

This describes the stages of a cyberattack, not the relationship between the attacker, victim, infrastructure, and capability.

- Cyber Kill Chain

In the WannaCry ransomware attack, the NSA's leaked EternalBlue exploit was used to propagate the ransomware. In the context of the Diamond Model of Intrusion Analysis, what does the EternalBlue exploit represent?

- Capability

This is the entity conducting the attack, not the tools or techniques used in the attack.

- Adversary

This refers to the physical and virtual resources used in the attack, not the tools or techniques used in the attack.

- Infrastructure

This is the target of the attack, not the tools or techniques used in the attack.

- Victim

In the Diamond Model of Intrusion Analysis, which of the four components represents the entity or individual who conducts the cyber attack?

- Adversary

This component refers to the physical and virtual resources utilized in the attack, not the one who conducts it.

- Infrastructure

This represents the entity that is targeted by the attack, not the one who conducts it.

- Victim

This represents the tools and techniques used in the attack, not the entity or individual conducting it.

- Capability

Following a significant data breach, a multinational corporation has hired a third-party firm to systematically search through its IT systems to identify the intrusion's origin and extent. This external firm is also expected to provide a detailed report on their findings. Which of the following post-incident activities BEST describes what the corporation is performing in this scenario?

- Forensic analysis

This analysis is a method used to identify the primary cause or causes of an incident. Although this may be part of the overall process, the scenario specifically mentions a detailed and systematic examination, which aligns more with forensic analysis.

- Root cause analysis

This is a set of procedures and processes to handle and manage an incident effectively.

- Incident response plan

This is the process of reflecting on a completed incident to identify what was done well and what needs improvement for future incidents.

- Lessons learned

The 2017 WannaCry ransomware attack exploited a specific vulnerability in Microsoft's implementation of the SMB protocol, impacting thousands of computers worldwide. Which of the following patches, if applied timely, could have prevented this large-scale compromise?

- MS17-010

This bulletin addressed a collection of vulnerabilities, primarily focused on the Microsoft Graphics Component, as well as issues in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight, and the .NET Framework.

- MS16-120

This bulletin addressed multiple vulnerabilities, primarily within Windows Uniscribe, a complex script layout engine used by various Windows applications to render text.

- MS17-011

This bulletin addressed elevation of privilege vulnerabilities in Microsoft Windows kernel-mode drivers.

- MS16-098

You are a cybersecurity analyst investigating a potential network issue at your company. You suspect there is unusual traffic on your company's network. Which of the following tools would be most effective for capturing and analyzing network packets in real-time to investigate this issue?

- tcpdump

This is a basic network tool used to test whether a particular host is reachable across an I.P. network and to measure the round-trip time for packets. It doesn't provide real-time traffic analysis.

- Ping

This is also a network protocol analyzer, it provides a GUI and more detailed analysis features than tcpdump.

- Wireshark

This is primarily used for network discovery and security auditing. It can identify what hosts are available on the network, what services those hosts are offering, what operating systems they are running, and what type of packet filters/firewalls are in use.

- Nmap

THE P.T: 1 CHRONICLE: ( ex.9 )

The R.S.S.H Delivery Company · 90問 · 6ヶ月前

THE P.T: 1 CHRONICLE: ( ex.9 )