CySA+ Flashcards

Question

Process Hollowing

Answer 1

Dropper starts process in a suspended state, then rewrites the memory locations containing the process code with the malware code

Answer 2

Unclassified- no restrictions Classified- viewing restricted to authorized persons within organization or to third parties under NDA Confidential- highly sensitive, only for approved persons within org (and MAYBE trusted third parties under NDA) Secret- valuable info, viewing must be severely restricted Top Secret- info that would cause grave danger if inadvertently disclosed

Answer 3

Sarbanes-Oxley Act Law in regards to an organization's financial and business operations- specifies what types of documents need to be kept and for how long (auditing)

Answer 4

Gramm-Leach-Bliley Act Sets forth requirements that help protect the privacy of an individual's financial information that is held by financial institutions or others that may store it

Answer 5

Federal Information Security Management Act Sets forth requirements for federal organizations to adopt information assurance controls

Answer 6

Role focused on the quality of the data and associated metadata

Answer 7

Interconnection Security Agreement Document that regulates security-relevant aspects of an intended connection between a government agency and an external system

Answer 8

Physically Unclonable Function A physical entity embodied in a physical structure, usually implemented in integrated circuits. These physical variances can actually be used in cryptographic functions.

Answer 9

Provides CPU hardware-level isolation and memory encryption on every server, by isolating application code and data from anyone with privileges, and encrypting its memory. With additional software, secure enclaves enable the encryption of both storage and network data for simple full stack security. Secure enclave hardware support is built into all new CPUs from Intel and AMD.

Answer 10

Enterprise Mobility Management MDM suite with broader capabilities such as IAM

Answer 11

Any code that is used or invoked outside the main program development process- Code Reuse Using a third-party library Software Development Kit

Answer 12

Digital serial data communications used in OT networks to link PLCs

Answer 13

Trusted Platform Module Hardware in COMPUTER that assists with cryptographic functions

Answer 14

CPU's security extensions invoke a TPM and secure boot attestation to ensure that a trusted OS is running

Answer 15

Programmable Logic Controller Type of computer designed for deployment in an industrial or outdoor setting that can automate and monitor mechanical systems

Answer 16

Programming that is written directly to a hardware device's static memory. It is used to run user programs on the device and can be thought of as the software that enables hardware to run. Firmware has complete control over hardware and system memory, thereby making it a lucrative target

Answer 17

Committee of Sponsoring Organizations of the Treadway Commission Provides guidance on a variety of governance related topics including fraud, controls, finance and ethics

Answer 18

Coding methods to anticipate and deal with exceptions thrown during execution of a process

Answer 19

Identify how the process interacts with the Registry and file system How is it being launched? Is the image file located in system folder or a temp folder? What files are being manipulated by the process? Does the process restore itself upon reboot after deletion? Does a system privilege or service get blocked if you delete the process? Is the process interacting with the network?

Answer 20

These are client-side errors. 400- request couldn't be parsed by server 401- request didn't supply authentication credentials 403- insufficient permissions 404- requested resource doesn't exist

Answer 21

Transmitting data over nonstandard port Encoding data in TCP/IP packet headers Segmenting data into multiple packets and sending spread out Obfuscation by using HEX Transmitting encrypted data

Answer 22

Techniques that require analysis of the contents of system memory and of process behavior rather than scanning the file system

Answer 23

Connections that are permitted or denied Port and protocol usage within network Bandwidth utilization with the duration and volume of usage Audit log of all address translations that occurred

Answer 24

Annual Loss Expectancy Multiply SLE (Single Loss Expectancy) by ARO (Annual Rate of Occurrence) Example- if SLE is $2500, and it will likely happen 4 times, the ALE would be $10,000

Answer 25

Risk-based framework that is focused on IT security over IT service provision. FRAMEWORK CORE identifies five key functions (Identify, Protect, Detect, Respond, Recover) with subcategories IMPLEMENTATION TIERS see how closely the FRAMEWORK CORE functions are integrated with org's overall risk management process FRAMEWORK PROFILES show current/target outcomes to identify where it is best to invest to close the gap in any cybersecurity capabilities

Answer 26

Use of tools to map out layout of a NETWORK, usually in terms of IP address usage Routing topology DNS namespace

Answer 27

Use of tools that perform HOST SYSTEM DETECTION to map out data like Open ports OS type and version File shares Running services/applications System uptime Other useful metadata

Answer 28

Probe open ports to determine service/version info

Answer 29

Enable OS detection, version detection, script scanning and traceroute

Answer 30

Sanitizing solid-state device using manufacturer provided software

Answer 31

Return on Security Investment Is a security control worth the cost of deploying and maintaining it? ((ALE-ALE with mitigation in place) - Cost of mitigation)/Cost of mitigation

Answer 32

Fragmentation, splits TCP header of each probe between multiple IP datagrams to make it hard for IDS/IPS to detect

Answer 33

Method of restoring a system that has been sanitized using scripted installation routines and templates

Answer 34

TCP SYN scan, or "half open" scan Sends a SYN packet to identify the port state without sending back an ACK afterwards Requires root privileges on system you're scanning from

Answer 35

Work Recovery Time Length of time in addition to the RTO of individual systems to perform reintegration and testing of a restored or upgraded system following an event

Answer 36

Framework for defining the baseline, goals, and methods to secure a business

Answer 37

Recovery Point Objective Goal for maximum amount of DATA organization can tolerate losing. Measured in time

Answer 38

Recovery Time Objective Goal an organization sets for maximum length of time it should take to restore normal ops following an outage

Answer 39

Continuous Diagnostics and Mitigation Provides US gov. agencies/departments with capabilities and tools to identify cybersecurity risks on ongoing basis, prioritize them based on potential impact, and enable cybersecurity personnel to mitigate the most significant problems

Answer 40

Common Vulnerability Scoring System Way to quantify vulnerability data and then take into account degree of risk to different types of system info 0- no risk 0.1-3.9- Low 4.0-6.9- Medium 7.0-8.9- High 9.0-10.0- Critical

Answer 41

Request for Change Document that lists the reason for a change and the procedures to implement that change

Answer 42

Spoofing tool that allows crafting of network packets to exploit vulnerable IDS/IPS

Answer 43

Command line tool used to brute-force WPS enabled accessed points. WPS used 8 digit points so very easy to hack into

Answer 44

Printers VoIP phones Embedded Systems

Answer 45

SERVICE ACCOUNTS, not local admins

Answer 46

Command line tool used to poison responses to NetBIOS, LLMNR and MDNS name resolution requests in an attempt to perform a Man in the Middle attack. Intercepts request and the returns attacker IP as the name record

Answer 47

Suite of utilities designed for wireless network security testing

Answer 48

Utility in Aircrack-ng Enable/disable monitor mode on cards

Answer 49

Utility in Aircrack-ng Capture wireless frames

Answer 50

Utility in Aircrack-ng Deauth users and impersonate

Answer 51

Utility in Aircrack-ng Extract auth key and retrieve plaintext password- only works on WEP networks

Answer 52

Command line tool used to perform brute force and dictionary attacks against password hashes Uses GPU to perform brute force cracking faster

Answer 53

Attack method where input characters are encoded in such a way as to evade vulnerable input validation measures Example- using %2e%2e%2f in place of ../

Answer 54

Technique that defends against SQL injection and insecure object references by incorporating placeholders in a SQL query Basically says "only use these formats"

Answer 55

A type of session hijacking in which attacker alters, forges, hijacks an otherwise valid cookie sent back to a server to steal data, bypass security, or both

Answer 56

Attacker executes a script to inject a remote file INTO the web app or website. Example- embedding a hidden URL into the request to have it execute a script hosted on another site

Answer 57

Attacker adds a file to the web app or website that already exists on the hosting server. Example- using directory traversal to try and get the web server to allow a command prompt

Answer 58

Coding vulnerability where unvalidated input is used to select a resource object like a file or database To mitigate, implement access control techniques in applications to verify a user is authorized to access a specific object

Answer 59

Encryption or Input Validation

Answer 60

A string is stripped of illegal characters or substrings and converted to the accepted character set

Answer 61

Coding method to sanitize output by converting untrusted output to a SAFE FORM where the input is DISPLAYED AS DATA to the user WITHOUT EXECUTING AS CODE in the browser

Answer 62

Request user-specific tokens in all form submissions

Answer 63

Secure- instructs client's web browser to only send cookie if its over secure channel (HTTPS) HTTP Only- disables access from client-side scripting to your cookie, can only access via HTTP Domain- sets domain of server that cookie is valid for, limits who has access Path- Specify URL path for which cookie is valid Expires- specify when persistent cookie expires

Answer 64

Frame busting- a technique that removes the malicious iframe loaded on a site by forcing a specific page to the top frame. Can be implemented using Javascript or by setting X-FRAME-OPTIONS to DENY

Answer 65

XML encodes entities that expand to exponential sizes, consuming memory on the host and potentially crashing it. Used in Billion Laughs Attack, which would define 10 entities that each defined as consisting of 10 of the previous entity, which eventually expands to one billion copies of the first entity. This would most likely exceed computer memory. The first entity was LOL, by the way.

Answer 66

XML External Entity Type of attack against an application that parses XML input Occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser Attack can lead to disclosure of confidential data, DoS, server side request forgery, etc

Answer 67

Cross-site Scripting User trusts a badly implemented website Attacker injects a script into the trusted website User's browser executes attacker's script

Answer 68

Cross-Site Request Forgery A badly implemented website trusts the user Attacker tricks user's browser into issuing requests Website executes the attacker's requests

Answer 69

Applications should ONLY send data between authenticated hosts using encryption to protect the session Do NOT use hardcoded credentials in the application Disable use of client password autocomplete features, temporary files, and cookies

Answer 70

Form of XSS that targets the Document Object Model on websites. Never reaches the server and instead executes in the user's browser. Example- a page designed to take a user's name and display it on the webpage could have scripting executed in it if a malicious url was sent to the user. Then when they navigate to this page, it executes the script and makes the page look completely different

Answer 71

Creates and updates inventory of assets by conducting enumeration of network without scanning for vulnerabilities

Answer 72

Extensible Configuration Checklist Description Format A structured collection of security configuration rules for some set of target systems. Written in XML

Answer 73

Open Vulnerability and Assessment Language XML schema for describing system security state and querying vulnerability reports and information

Answer 74

Security Content Automation Protocol NIST Framework that outlines acceptable practices for vulnerability scanning and standardizes the format and descriptive language with which software flaws and security configuration information is communicated, both to machines and humans.

Answer 75

Sysinternals utility that allows you to verify root certificates in the local store against Microsoft's master trust list

Answer 76

Access Complexity High or Low

Answer 77

Common Configuration Enumeration Scheme for provisioning secure configuration checks across multiple sources

Answer 78

Software development method where application and platform requirements are frequently tested and validated for immediate availability

Answer 79

Software development method where code updates are tested and committed to a dev or build server/code repository rapidly

Answer 80

Opensource cloud penetration testing framework to test the security configuration of an AWS account

Answer 81

Auditing tool for AWS that evaluates the cloud infrastructure against AWS benchmarks, GDPR compliance, and HIPAA compliance

Answer 82

Open-source tool written in Python that can audit instances and policies created on multicloud platforms

Answer 83

Cross Origin Resource Sharing Policy A CDN policy that instructs the browser to treat requests from nominated domains as safe Weak CORS policies can expose site to XSS vulnerabilities

Answer 84

API must only be used over an encrypted channel Data received by an API must pass server-side validation routines Error messages should be sanitized Implement throttling/rate limiting mechanisms to protect from a DoS APIs should use secure authentication and authorization such as SAML or OAuth/OIDC before accessing data

Answer 85

Function as a Service Cloud service model that supports serverless software architecture by provisioning runtime containers in which code is executed in a particular programming language "Run things and make applications without having our own servers"

Answer 86

Automation tool that uses YAML files rather than user agents

Answer 87

Command line tool to transfer data from or to a server, using protocols like HTTP, FTP, etc

Answer 88

Security Assertions Markup Language XML-based data format used to exchange authentication info between a client and a service Provides SSO and federated identity management

Answer 89

Simple Object Access Protocol XML-based web services protocol that is used to exchange messages between applications

Answer 90

Enterprise Service Bus Common component of SOA (service oriented architecture) that facilitates decoupled service-to-service communication

Answer 91

Service Oriented Architecture Software architecture where components of the solution are conceived as loosely coupled services not dependent on a single platform type or technology Each piece can be produced/tested separately Each service takes defined inputs and produces defined outputs An overall architecture for mapping business workflows to the IT systems that support them

Answer 92

Most widely used web app scanner. Free and open source.

Answer 93

Man in the middle software that sits between a client and server and allows requests/responses to be analyzed and modified

Answer 94

Proprietary tool for performing security testing of web applications that supports the entire testing process, from initial mapping and analysis of attack surface to finding and exploiting security vulnerabilities

Answer 95

Open source web application scanner with a GUI, makes findings a lot easier to take in

Answer 96

Widely used vulnerability scanner that can identify known web server vulnerabilities and misconfigurations, identify web appliances running on a server, and identify potential known vulnerabilities in those web applications Command-line only, so data can be challenging to digest

Answer 97

Open-source tool that converts an OS to a relational database so that you can perform easy analytics using SQL queries

Answer 98

Dynamic code analysis technique that involves sending a running application random and unusual input to evaluate how the application responds

Answer 99

Dynamic testing tool used to analyze software as it executes

Answer 100

Using an obfuscator

Answer 101

Interactive Disassembler Popular cross-platform disassembler and decompiler used by reverse engineers

Answer 102

Pseudocode

Answer 103

Reverse engineering tool that converts machine code or assembly language to code in a specific higher-level language or psuedocode

Answer 104

Type of reverse engineering software that converts machine language code into assembly language code

Answer 105

User Acceptance Training Beta testing by the end users that proves a program is usable and fit-for-purpose in real-world conditions

Answer 106

Process of validating software design through mathematical modeling of expected inputs and outputs

Answer 107

regedit doesn't display last modification time of a value by default. Changes to registry are a major IoC so not knowing when a change happened is not good. Use regdump, which will dump contents of registry to a text file for analysis

Answer 108

Information- successful events Warning- not necessarily a problem but could end up one Error- significant problems which could inhibit functionality Audit success/failure- only in security logs

Answer 109

Manages access to user desktop and loading user profile through userinit.exe

Answer 110

Special kind of process that hosts threads that only run in kernel mode PID is ALWAYS 4

Answer 111

Client Server Runtime Subsystem User mode side of Windows subsystem, and responsible for process thread creation and deletion. Always running, CRITICAL to system operation. If terminated, will result in system failure.

Answer 112

Windows Initialization Process Responsible for launching services.exe, lsass.exe, and lsaiso.exe within session 0

Answer 113

Responsible for creating new sessions

Answer 114

Service Control Manager (SCM)- handles system services like svchost.exe, dllhost.exe, and many others

Answer 115

Service Host- responsible for hosting and managing Windows services. These services are implemented as DLLs stored in the Registry. When it calls upon a service it uses the -k flag.

Answer 116

Local Security Authority Subsystem- enforces security policy on system. Handles authentication/authorization services for the system, and writes to Windows Security Log

Answer 117

Reverse engineer code used by the processes Discover how processes interact with the file system and Registry Examine network connections Retrieve cryptographic keys Extract strings

Answer 118

Are security services prevented from running? Is the process running the service compromised? Is the service disabled by a DDoS? Is there excessive bandwidth usage?

Answer 119

Detect Destroy (probably only in a government agency, hack back is illegal) Degrade Disrupt Deny Deceive

Answer 120

Windows Explorer Gives users access to their folders and files Provides functionality to start menu, task bar, etc

Answer 121

Achieve persistence- modifying Registry Key entries Delete Registry Keys to clean up prior activity Modify Registry Keys to conceal payloads/commands used to maintain persistence

Answer 122

Analyzing save state files VM introspection

Answer 123

Configure firewalls to allow only whitelisted ports to communicate on ingress/egress interfaces Config documentation should also show which server ports are allowed on any given host type Configure detection rules to alert on mismatched protocol usage over a standard port

Answer 124

Suite of tools designed to assist with troubleshooting issues with Windows Many of these tools are suited to investigating security issues

Answer 125

Uses tools installed to the hypervisor to retrieve pages of memory for analysis

Answer 126

Place where an adversary begins to collect data in preparation for exfiltration. Data is often compressed and encrypted. Temp files or folders User profile locations Data masked as logs Alternate Data Streams

Answer 127

Detecting these attacks can be very difficult as it can't be differentiated from legitimate authentication Most AV will block tools that allow this such as Mimikatz Restrict and protect high privileged accounts (Domain admin, local admin) Restrict inbound traffic to workstations using firewall

Answer 128

Data Exfiltration Insider Data Exfiltration Device Theft/Loss Accidental Data Breach Integrity/Availability Breach (corruption of data, destruction of system, etc)

Answer 129

Linux command that displays a list of users who are currently logged into the computer

Answer 130

Tools that can help identify suspicious service activity even when antimalware fails to identify it Task Manager Windows Services Manager (services.msc) net start (command line) Get-Service (Powershell)

Answer 131

Windows command to start a network service or list running network services.

Answer 132

Indicators that a legitimate process has been corrupted with malicious code Process making changes to registry file without permission Accessing data files in temp locations Using the network for malicious activity

Answer 133

Responsible for: Forwarding traffic Encrypting traffic NAT Filtering traffic with ACLs

Answer 134

Makes decisions about how traffic should be prioritized and secured, and where it should be switched

Answer 135

Monitors traffic conditions and network status

Answer 136

Install, update, validate trusted root certificates Deploying, updating, revoking subject certificates Preventing use of self-signed certificates SSH Key Management

Answer 137

Windows utility that allows you to display certificate authority configuration info, configure certificate services, verify certificate's key pair and certificate chains

Answer 138

Library of software functions supporting the SSL/TLS protocol Has commands to create/view digital certificates, generate private keys, test TLS/SSL functions

Answer 139

Center for Internet Security Not-for-profit org that publishes well-known "Top 18 Critical Security Controls"

Answer 140

1- Inventory and control of authorized devices 2- Inventory and control of authorized software 3- Data protection 4- Secure configuration of assets and software 5- Account management

Answer 141

Common Platform Enumeration Scheme for identifying hardware devices, operating systems, and applications

Answer 142

Common Attack Pattern Enumeration and Classification Knowledge base maintained by MITRE

Answer 143

Real time log analysis to ID suspicious traffic and redirect to sinkhole or black hole Use geolocation/IP reputation data to redirect/ignore suspicious traffic Aggressively close slower connections by reducing timeouts on affected servers Use caching and backend infrastructure to offload processing to other servers Utilize enterprise DDoS protection services

Answer 144

Linux tool that retrieves a list of all files currently open on the OS Quickly get a list of all resources a process is currently using

Answer 145

Don't recognize process name Name similar to legit process (scvhost vs svchost) Appears without an icon, version info, description, company name Unsigned, especially if it claims to be from a well known company Digital signature doesn't match identified publisher Doesn't have parent/child relationship with principal Windows process Hosted by utilities like Explorer, Notepad, Task Manager, etc Packed or compressed (highlighted purple in Process Explorer)

Answer 146

Contains info that Windows continually references during operation, which is necessary info for configuration: User profiles Installed applications Types of documents users/apps can create Hardware on system Ports being used

Answer 147

Process of peer review of uncompiled source code by other developers

Answer 148

Windows- shimmed/injected into a host process by making it load the malicious code as a DLL Linux- often injected into Shared Objects (.so files)

Answer 149

Physical hosts AND virtual hosts

Answer 150

Transport Layer Security (TLS) is a widely adopted security protocol designed to facilitate privacy and data security for communications over the internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website.

Answer 151

Secure Sockets Layer; all three versions are considered obsolete and insecure

Answer 152

Group Policy Object A group policy is used to manage Windows systems in a Windows network domain environment utilizing a Group Policy Object (GPO). GPOs can include many settings related to credentials, such as password complexity requirements, password history, password length, and account lockout settings. You can force a reset of the default administrator account password by using a group policy update.

Answer 153

which bash By executing the "which bash" command, the system will report the file structure path to where the bash command is being run. If the directory where bash is running is different from the default directory for this Linux distribution, this would indicate a compromised machine.

Answer 154

Intel-designed mechanism to allow software instructions to blow a transistor in the hardware chip. One use of this is to prevent firmware downgrades, implemented on some game consoles and smartphones. Each time the firmware is upgraded, the updater blows an eFUSE. When there is a firmware update, the updater checks that the number of blown eFUSEs is not less than the firmware version number.

Answer 155

planning requirements design implementation testing deployment maintenance

Answer 156

Attack Surface

Answer 157

Advanced IDS and user behavior analytics tools are the best option, but they will not detect everything

Answer 158

A system feature that enables one system entity to signal information to another entity by directly or indirectly writing a storage location that is later directly or indirectly read by the second entity

Answer 159

Strong encryption of data both at rest and in transit

Answer 160

cron systemctl ps top

Answer 161

Layer 5 Establishes connection between source and destination Data divided into packets Sessions are unique- data cannot travel across different sessions

Answer 162

Attacker accesses NTDS.DIT Attacker dumps NTDS.DIT, exposing krbtgt Uses krbtgt to craft Golden Ticket Uses Golden Ticket to assume admin rights

Answer 163

Tool developed for sys admins as alternative to Telnet and other remote access services. Can be used by attackers for privilege escalation

Answer 164

Same query repeated several times when a bot is checking into a control server for more orders Commands sent within request or response queries will be longer and more complicated than normal Atypical query types being used (TXT, MX, CNAME, NULL)

Answer 165

Sensitive Personal Information (opinions, beliefs, etc)

Answer 166

Tool that allows you to search the file system for keywords quickly, including system areas such as Recycle Bin, NTFS shadow copy and system volume information

Answer 167

Attacker uses a host as a pivot and is then able to access one of its open TCP/IP ports to send traffic to a port of a host on a different subnet

Answer 168

Use digital certificates on endpoints and servers to authenticate, and encrypt traffic using IPSec or HTTPS

Answer 169

Using the -D flag sets up a local proxy and port forwarding Attackers can chain proxy servers together in order to continue pivoting from host to host until they reach a mission critical host or server

Answer 170

Linux tool that retrieves how much disk space is being used by all mounted file systems and how much space is available for each

Answer 171

Linux tool that enables you to retrieve how much disk space each directory is using based on the specific directory

Answer 172

Windows command with some advanced functionality for file system analysis

Answer 173

Filters all file/folder types that match (x), such as dir /AH displays only hidden files and folders

Answer 174

Shows who owns each file in addition to standard info

Answer 175

Displays alternate data streams for a file

Answer 176

Port scanning or sweeps Non standard port usage Covert channels Rogue Devices Traffic Spikes

Answer 177

netcat Swiss Army Knife of network administration Made for reading from or writing to network connections Port scanning Remote administration File transfer Attackers can use for port listening or to create a backdoor

Answer 178

Network based attack where the attacker steals hashed user credentials and uses them as-is to try to authenticate to the same network the hashes came from Attacker could obtain cached hash of local admin that had previously signed in and use this hash for privilege escalation Only works if hash is stored on target system (user has signed in there before)

Answer 179

Install a WAF to analyze inbound requests

Answer 180

Scan based on compliance template or checklist Ensure controls and configuration settings are properly applied to a given host

Answer 181

Comprehensive scan that forces the use of more plug-in types. Takes longer and there's higher risk of causing service disruption

Answer 182

Analyzes hosts for unpatched software vulnerabilities and configuration issues

Answer 183

Artificial Neural Network

Answer 184

Process of incorporating new updates and information to an organization's existing database to improve accuracy

Answer 185

Security Orchestration Automation and Response Security tools that facilitate incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment Primarily used for incident response

Answer 186

SIEM with an integrated SOAR

Answer 187

Checklist of actions to perform to detect and respond to a specific type of incident

Answer 188

Automated version of a playbook that leaves clearly defined interaction points for human analysis

Answer 189

Senior executive w/ ultimate responsibility for maintaining CIA of the information asset

Answer 190

Role responsible for handling the management of the system on which the data assets are stored

Answer 191

Responsible for the oversight of any PII/SPI/PHI assets managed by the company

Answer 192

Microprocessor manufacturing utility that is part of a validated supply chain (one where hardware and software does not deviate from its documented function)

Answer 193

Firmware update that is digitally signed by the vendor and trusted by the system before installation

Answer 194

Segmentation Disabling unused services

Answer 195

There are bad sectors on the destination drive

Answer 196

Treats the specified search pattern as case insensitive

Answer 197

Identity Provider Provides the validation of the user's identity when using SAML for authentication

Answer 198

Perform a scan from on-site If the organization's network is set up correctly, scanning from off-site will be much more difficult as many of the devices will be hidden behind the firewall. By conducting an on-site scan, you can conduct the scan from behind the firewall and receive more detailed information on the various servers and services running on the internal network.

Answer 199

Suspend the machine and copy the contents of the directory it resides in

Answer 200

SEC- Security PEI- Pre-EFI Initialization DXE- Driver Execution Environment BDS- Boot Device Select TSL- Transient System Load RT- Runtime

Answer 201

Should only be exposed to an isolated or dedicated network used for management and configuration

Answer 202

Ensuring the safety and security of all personnel Prevent further exfiltration of data or prevent the ongoing intrusion from spreading

Answer 203

Eliminates information from being feasibly recovered even in a laboratory environment Includes degaussing, encryption of data with the destruction of its encryption key, and other non-destructive techniques

Answer 204

A beacon can be sent over numerous protocols, including ICMP, DNS, HTTP, and numerous others. Unless you specifically knew the protocol being used by the suspected beacon, filtering out beacons by the protocol seen in the logs could lead you to eliminate malicious behavior prematurely.

Answer 205

10.x.x.x 172.16-31.x.x 192.168.x.x

Answer 206

Admins and analysts should not perform any actions on the network until they receive law enforcement guidance Employees should receive guidance from law enforcement on what they should and should not say to people outside of the investigation

Answer 207

Walking around a building while attempting to locate wireless networks and devices

Answer 208

Attacker establishes a connection with a remote machine first (telnet, nc, proprietary connection) Then sends a bad request Causes a vulnerable host to respond with a banner message that reveals compromising information such as OS type, software version, etc

Answer 209

NIPS would either shut it down or block it

Answer 210

Reduce the frequency of scans (once every 48 hours, once every week) Reduce the scope of scans (scan less systems or vulnerability signatures) Add additional vulnerability scanners to the process

Answer 211

Cyber- use of hardware or software IT systems Human- social engineering, coercion, impersonation, force Physical- gaining local access

Answer 212

System on a network used to access and manage devices in a separate security zone

Answer 213

Full packet capture

Answer 214

Configure a virtual switch on the physical server and create VLANs

Answer 215

Polymorphic virus

Answer 216

Endpoint forensics

Answer 217

Sanitizes a self-encrypting drive by erasing the media encryption key and then reimaging the drive

Answer 218

Perform a cryptographic erase

Answer 219

Overwrites a storage device by setting all bits to the value of 0 but is not effective on SSDs or Hybrid Drives

Answer 220

Data is encrypted by an application prior to being placed on the data bus

Answer 221

Deidentification method where a unique token is substituted for real data

Answer 222

Deidentification technique where data is generalized to protect the individuals involved "90% of subjects did not experience side effects"

Answer 223

Software Development Lifecycle

Answer 224

Software development model where the phases of the SDLC cascade so that each phase will start only when all tasks from the previous phase are complete

Answer 225

Software development model that focuses on iterative and incremental development to account for evolving requirements and expectations

Answer 226

Security framework for secure application development

Answer 227

Blind Testing Security analyst receives no privileged information about the software

Answer 228

Basic Input/Output System The software used to start your computer Initializes CPU and memory Conducts a Power on Self Test (POST) Looks for a boot loader and starts the OS Tells the computer how to do its most basic functions (handle input from keyboard)

Answer 229

Unified Extensible Firmware Interface Defines a software interface between an OS and platform firmware

Answer 230

Full Disclosure Testing Security analyst receives privileged info about the software such as source code and credentials

Answer 231

Security analyst receives partial disclosure of information about software

Answer 232

Open Web Application Security Project Charity and community that publishes a number of secure application development resources

Answer 233

Sys Admin, Network, and Security Institute Company specializing in cybersecurity and secure web application development training Sponsors GIAC (Global Information Assurance Certification)

Answer 234

Vulnerability that allows attacker to run their own code

Answer 235

Vulnerability that allows an attacker to transmit code from a remote host for execution on a target host over the internet

Answer 236

Temporary storage area that a program uses to store data Think of system memory as a table. There are glasses for water at each spot. Each glass can only contain so much water, and if it exceeds that, it can make a mess on the table. The glasses are buffers.

Answer 237

An attack in which a computed result is too large to fit in its assigned storage space, which may lead to crashing or data corruption, and may trigger a buffer overflow

Answer 238

Software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order/timing intended by the developer

Answer 239

Time of Check to Time of Use Potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource

Answer 240

Real Time Operating System Prioritizes execution of operations to ensure consistent response for time-critical tasks For systems that cannot tolerate reboots or crashes and must have response times that are predictable to within microsecond tolerances

Answer 241

Human Machine Interface Input and output controls on a PLC to allow a user to configure and monitor the system

Answer 242

Supervisory Control and Data Acquisition Type of industrial control system that manages large scale, multisite devices and equipment spread over geographic region

Answer 243

Building Automation Systems Components and protocols that facilitate the centralized configuration and monitoring of mechanical and electrical systems within offices and data centers

Answer 244

Controller Area Network Digital serial data communications network used within vehicles

Answer 245

0- Emergency 1- Alert 2- Critical 3- Error 4- Warning 5- Notice 6- Informational 7- Debug "Everyone Always Complains Even When Nothing Is Different"

Answer 246

Server-side issue 500- general error 502- bad gateway has occurred when the server is acting as a proxy 503- overloading of server is causing service unavailability 504- gateway timeout which means there's an issue with the upstream server

Answer 247

Run any code at the highest level of CPU privilege

Answer 248

Hardware Security Module High end cryptographic hardware used in large environments Provides secured backup storage for keys Uses cryptographic accelerators to offload CPU overhead from other devices

Answer 249

Hardware Root of Trust TPM and HSM fall into this category Designed to be difficult to change or avoid

Answer 250

Secure Boot Measured Boot Attestation

Answer 251

UEFI checks booting programs for known-good digital signature, will not run it if they don't match

Answer 252

a feature where a log of all boot actions is taken and stored in a trusted platform module for later retrieval and analysis by anti-malware software on a remote server.

Answer 253

As part of UEFI, report is digitally signed using TPM's private key, showing the data presented is valid

Answer 254

Certain operations that should only be performed once or not at all, such as initializing a memory location

Answer 255

System-on-Chip Type of embedded application commonly used in mobile devices which contains integrated CPU, memory, graphics, audio, network, storage controllers, and software on one chip

Answer 256

Field Programmable Gate Array A processor that can be programmed to perform a specific function by a customer rather than at the time of manufacture

Answer 257

A type of file signature, the first two bytes of a binary header that indicates its file type

Answer 258

Web Application Firewall Designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks Used to prevent things like injection attacks and XSS

Answer 259

Coordinated Universal Time A time standard that is useful when your SIEM is collecting data from logs in multiple time zones

Answer 260

Network monitoring stem that detects changes in normal operating data sequences and identifies abnormal sequences Generates alerts when there are deviations from a defined tolerance level from a given baseline (Uses customer data)

Answer 261

Network monitoring system that uses a baseline of acceptable outcomes or event patterns to identify events that fall outside of the acceptable range Generates alerts on any event or outcome that doesn't follow a set pattern or rule. (Uses prescribed patterns like an RFC or industry standard)

Answer 262

Matches a single instance of a character within [a-z], [A-Z], [0-9], [a-zA-Z0-9] for alphanumeric characters

Answer 263

Quantifier, matches one or more occurrences Ex- /apples+/ would match apples and applessss

Answer 264

Matches zero or more occurrences Ex- /apples*/ would match apples, applessss but also apple

Answer 265

Using OSINT to gather info about a domain, such as subdomains, hosting provider, administrative contacts, etc

Answer 266

The OR logical operator

Answer 267

Defines a group

Answer 268

Will only match at the start of a line when searching

Answer 269

Will only match at the end of a line when searching

Answer 270

Capturing contents of disk drive while computer is still running Contents can be change during acquisition (ex- user is connected remotely and making changes at the same time as investigator)

Answer 271

Computer shutdown through OS properly and then the disk is acquired Malware may detect shutdown and perform anti-forensics

Answer 272

dd command- specify input file (if) and output file (of) dd if =/dev/sda of=/mnt/flashdrive/evidence.dd

Answer 273

Open source command line tool for file carving that is used as part of The Sleuth Kit

Answer 274

Cisco developed means of reporting network flow information to a structured database Creates flows and groupings for later review Provides METADATA not FPC so will not provide a complete record of what happened

Answer 275

Requirements (Planning and Direction) Collection and Processing Analysis Dissemination Feedback (repeat)

Answer 276

Matches 0 or 1 occurrences Ex- /apples?/ would match apple or apples but not applessss

Answer 277

User and Entity Behavior Analytics System that can provide automated identification of suspicious activity by user accounts and computer hosts Compares against baseline data Heavily reliant on AI or machine learning

Answer 278

Matches the number of times within the curly braces such as \d{3} matching 3 digits \d{7-10} matching 7 to10 digits

Answer 279

Identification Collection Analysis Reporting

Answer 280

Extracting data from a computer when that data has no associated file system metadata (someone tried to delete it) Attempts to piece together data fragments from slack space to reconstruct deleted files or at least parts of those files

Answer 281

Disable web admin interfaces and use SSH shells for access Use ACLs to restrict access to designated host devices Monitor the number of designated interfaces Deny internet access for remote management (connect to VPN to get on LAN first)

Answer 282

Adversary's use of random delay to try and throw off detecting connection attempt intervals. Used in beaconing to C2 servers

Answer 283

Active scanning engine installed on the enterprise console

Answer 284

Scans a range of IP addresses, shows which IP addresses are in use, and provides the following information: DNS name. System Name. Location.

Answer 285

This could mean: The machines are unreachable The community string being used is invalid The machines are not running SNMP servers

Answer 286

Isolate the workstation by disabling the switch port and resetting the user's credentials Workstation should be imaged for analysis and then remediated or reimaged

Answer 287

Containment, eradication, and recovery

Answer 288

Blind SQL injection

Answer 289

Data Execution Prevention Windows built-in memory protection resource This prevents code from being run in pages that are marked as nonexecutable. DEP, by default, only protects Windows programs and services classified as essential, but it can be used for all programs and services, or all programs and services except the ones on an exception list.

Answer 290

To determine how a piece of malware operates To allow an attacker to spot vulnerabilities in an executable To commit industrial espionage

Answer 291

Security policy auditor in Windows

Answer 292

Service controller

Answer 293

Over the shoulder

Answer 294

Alternates between programmers, with one strategizing and reviewing it while the other enters the computer's code

Answer 295

Fast flux DNS is being used for an attacker's C2

Answer 296

nmap -sT (TCP connect scan)

Answer 297

a form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity (high scool, pet's name, etc)

Answer 298

Includes the ethernet header during packet capture

Answer 299

Infrastructure as Code

Answer 300

FTK Imager

Answer 301

A cipher that is outdated and should not be used for any modern applications

Answer 302

User conducted a ping sweep of the subnet

Answer 303

Integer overflow attack

Answer 304

Allows backups of directories to include permissions, saved to a text file.

Answer 305

Used to restore the permissions from the backup created.

Answer 306

Utilize a secure recursive DNS resolver to a third-party secure DNS resolver

Answer 307

Focuses on technologies, settings, and configurations

Answer 308

Looks at how a function is performed or what it accomplishes

Answer 309

Describes how systems interconnect

Answer 310

SANS Investigative Forensics Toolkit Group of free, open-source incident response and forensic tools designed to perform detailed digital forensic examinations in various settings.

Answer 311

COMMERCIALLY AVAILABLE forensics tools

Answer 312

TCP ACK Whether ports are open or closed, the target is required to respond with an RST packet. Firewalls that block the probe usually make no response or send back an ICMP destination unreachable error. This distinction allows Nmap to report whether the ACK packets are being filtered.

Answer 313

Setting the secure attribute on the cookie When a cookie has the Secure attribute, the user agent includes the cookie in an HTTP request only if transmitted over a secure channel (typically HTTPS).

Answer 314

Displays a list of domains, computers, or resources that are being shared by the specified computer. Used without parameters, net view displays a list of computers in your current domain.

Answer 315

Service Provider (SP)

Answer 316

Use a mathematical model of the inputs and outputs of a system to prove that the system works as specified in all cases.

Answer 317

GPS Location NAC

Answer 318

Static Code Analysis

Answer 319

A strategy that strengthens an organization's security posture by implementing multiple levels of protection, including inherently secure computer systems and protocols, high level encryption, and authentication. Called such since it implies the organization no longer relies on its network perimeter for security. Essentially instead of walled cities we have a heavier police presence

Answer 320

The attack widely fragmented the image across the host file system

Answer 321

Adjacent Attacker must launch the attack from the same shared physical (such as Bluetooth or Wi-Fi network), logical network (such as a local subnet), or a limited administrative domain (such as a VPN or MPLS)

Answer 322

Boot with Safe Mode

Answer 323

When booting in Safe Mode, Run and RunOnce are ignored by the Windows system.

Answer 324

File integrity monitoring program

Answer 325

Hex-code for :

Answer 326

Hashing algorithms provide INTEGRITY while encryption algorithms can ensure CONFIDENTIALITY

Answer 327

Slack space is the space left after a file has been written to a cluster. Slack space may contain remnant data from previous files after the pointer to the files was deleted by a user.

Answer 328

Recycle bin or slack space

Answer 329

Wildcard- any single character except newline

Answer 330

Escape the next character- only used with metacharacters Example- if you wanted to treat a . as a period and not as a wildcard you'd use \.

Answer 331

This is how to express a tab in Regex

Answer 332

This is how to express a new line in Regex

Answer 333

Add ^ as the first character inside a character set Ex- /[^aeiou]/ matches any one consonant Ex- /see[^mn]/ would match seek, but not seem or seen

Answer 334

Digit, equivalent of [0-9]

Answer 335

Word character, equivalent of [a-zA-Z0-9_]

Answer 336

Whitespace, equivalent of [\t\n]

Answer 337

Exclude digits [^0-9]

Answer 338

Exclude word characters [^a-zA-Z0-9_]

Answer 339

Exclude whitespace [^\t\n]

Answer 340

Perform a DNS brute force attack. This queries a list of IPs and typically bypasses IPS systems that do not alert on DNS queries.

Answer 341

The scan is returning a false positive The critical patch did not remediate the vulnerability

Answer 342

The types of information an organization will maintain The length of time they will maintain it

Answer 343

Purposely manipulating service quality to decrease their transfer speeds

Answer 344

Analyze the trends of the events while manually reviewing them to see if any indicators match

Answer 345

Training and transition

Answer 346

A TCP SYN scan, though it substitutes a connect scan if the user does not have proper privileges to send raw packets.

Answer 347

access_log

Answer 348

Pair programming, as it utilizes two developers working on one workstation, where one developer reviews the code being written in real-time by the other developer.

Answer 349

If there are legal or regulatory requirements that require the company to host their security audit data on-premises, then moving to the cloud will not be possible without violating applicable laws. For example, some companies must host their data within their national borders, even if migrating to the cloud.

Answer 350

Detection, remediation, testing

Answer 351

The attachment is using a double file extension to mask its identity

Answer 352

Search the registry for a complete list

Answer 353

Chained exploits

Answer 354

Instructs Quantifier to use a lazy strategy for making choices, ie match as little as possible before giving control to the next expression part

Answer 355

tcpdump -i eth0 host 10.10.1.1 The host option specifies a filter to capture ALL traffic to or from a designated IP address

Answer 356

The attacker routed traffic destined for the diontraining.com domain to the localhost

Answer 357

Owner, group, other

Answer 358

Read = 4 Write = 2 Execute = 1

Answer 359

Hex code for @ symbol

Answer 360

ESTABLISHED

Answer 361

HFS+ Hierarchical File System Plus

Answer 362

Domain Keys Identified Mail Provides a cryptographic authentication mechanism that can replace or supplement SPF. Organization uploads a public key as a TXT record in the DNS server

Answer 363

Sender Policy Framework Uses a DNS record published by an organization hosting an email service. The SPF record identifies the host authorized to send emails from that domain and there must be only one per domain. SPF does not provide a cryptographic authentication mechanism like DKIM does though.

Answer 364

Domain Based Massage Authentication, Reporting and Conformance Framework Can ensure that SPF and DKIM are being utilized effectively. DMARC relies on DKMI for the cryptographic authentication mechanism.

Answer 365

Network Access Control An approach to computer security that attempts to unify endpoint security technology (such as antivirus, host intrusion prevention, and vulnerability assessment), user or system authentication, and network security enforcement. When a remote workstation connects to the network, NAC will place it in into a segmented portion of the network, scan it for malware and validate its security controls, and then based on the results of those scans either connect it to the company's networks or place the workstation into a separate quarantined portion of the network for further remediation.

Answer 366

Combining the dictionary and brute force methods into a single tool

Answer 367

Shows the contents of the NetBIOS name cache and shows a list of name to IP address mappings

Answer 368

OSINT searches of support forums and social engineering

Answer 369

Creates a group (abc) would match abcdefg (abc)+ would match both abc and abcabcabc (in)?dependent would match independent and dependent

Answer 370

Occurs by using a software tool to overwrite the data on a hard drive to destroy all electronic data on a hard disk or other media

Answer 371

User and entity behavior analytics to establish baseline behavior

Answer 372

Print services, listening for incoming connections

Answer 373

IPP- Internet Printing Protocol

Answer 374

Printer related

Answer 375

Microsoft SQL

Answer 376

Oracle database

Answer 377

VNC desktop sharing

Answer 378

Common alt port for HTTPS

Answer 379

Critical or high vulnerabilities

Answer 380

The only validation they do is check the version number of an operating system or application against a list of known vulnerabilities. This approach is unable to detect any remediation activities that may have taken place that do not alter the version number.

Answer 381

Systems involved in the incident

Answer 382

Information about files Removed or deleted files

Answer 383

nmap cannot tell whether the port is open or closed

Answer 384

No scanning is required, though you should do it anyway

Answer 385

Configuring vulnerability scanner to start a new scan immediately after the prior scan completes

Answer 386

Time to resolve critical vulnerabilities

Answer 387

A rule that will never trigger because it is placed beneath a broader rule. Example- rule 1 allows any traffic over the internet to ports 80 or 443. Rule 2 is listed below it and is meant to block any traffic to Blocked hosts but since rules trigger in order, it won't fire. Rule 1: allow TCP any (source) any (ports) Internet (destination network) 80, 443 (destination ports) Rule 2: deny TCP any (source) any (ports) Blocked_Hosts (dest) 80, 443 (dest ports)

Answer 388

Zero-write the device

Answer 389

$home/.bash_history

Answer 390

Session hijacking

Answer 391

HTTP Banner grabbing using netcat

Answer 392

Used for port scanning when a better port scanning tool is unavailable

Answer 393

An open redirect vulnerability occurs when an application allows a user to control a redirect or forward to another URL. If the app does not validate untrusted user input, an attacker could supply a URL that redirects an unsuspecting victim from a legitimate domain to an attacker's phishing site.

Answer 394

/var/log/auth.log

Answer 395

Turns off pings

Answer 396

Set scan timing -T0 "paranoid" -T1 "sneaky"

Answer 397

An event- anything that is an observable occurrence

Answer 398

Malware Information Sharing Platform An open source threat information platform used to facilitate the collection and sharing of threat information

Answer 399

An open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. It is a platform meant for processing and sharing knowledge for cyber threat intelligence purposes.

Answer 400

Open source, rule based NIDS/NIPS

Answer 401

Action, Protocol, Source IP, Source Port, Direction (unidirectional or bidirectional), Destination IP, Destination Port, Options

Answer 402

Alert Log Drop Reject

Answer 403

IP, TCP, UDP and ICMP To specify other protocols you'd do it by port number

Answer 404

Quick identifier of the rule that will appear in the console/log. Usually a one liner that summarizes the event.

Answer 405

Snort Rule ID <100- Reserved rules 100-999,999- rules that come with the build >=1,000,000- rules created by user

Answer 406

Each rule can have additional information or reference to explain the purpose of the rule or threat pattern. That could be a common vulnerabilities and exposures ID or external information. Having references for the rules will always help analysts during the alert and incident investigation.

Answer 407

Snort rules can be modified and updated for performance and efficiency issues. Rev option help analysts to have the version information of each rule. Therefore it will be easy to understand rule improvements.

Answer 408

Payload data. It matches specific payload data by ASCII, hex, or both. It is possible to use this option multiple times in a single rule. However, the more you create specific pattern match features, the more it takes time to investigate a packet.

Answer 409

Use the nocase option

Answer 410

Use the flags option. Example for SYN: alert tcp any any <> any any (msg: "FLAG TEST"; flags:S; sid: 1000001; rev:1;)

Answer 411

Use the dsize option. Examples: dsize:100<>300 dsize:>100 dsize:<100

Answer 412

/etc/snort/rules/local.rules

Answer 413

input validation least privilege

Answer 414

Brute force attack where stolen credentials are tested against multiple websites

Answer 415

%2e%2e%2f is the encoding of ../

Answer 416

Scan type that analyzes the responses from probes sent to a target Consumes network bandwidth and processor resources

Answer 417

Uses a service account and since it can access privileged areas it is more likely to find vulnerabilities

Answer 418

Can use default passwords still. Less likely to find vulnerabilities than credentialed

Answer 419

Scanner installed locally. Reduces impact on network, but could be compromised by malware

Answer 420

Scan type that analyzes only intercepted network traffic rather than sending probes to a target Least likely to create impact on network/hosts Least likely to properly identify vulnerabilities

Answer 421

Software Defined Networking APIs and compatible hardware allowing for programmable network appliances and systems Create more complex networks due to size, scope, and ability to rapidly change

Answer 422

Standard for encapsulating EAP communications over a LAN or WLAN and that provides port-based authentication

Answer 423

Null scan Conducts a scan by sending a packet with the header bit set to zero Most IDS/IPS will flag this as malicious

Answer 424

--scan-delay Issues probes with significant delays to become stealthier and avoid detection by an IDS or IPS

Answer 425

List scan Lists the IP addresses from a target range and performs a reverse DNS query to discovery any host names associated with them

Answer 426

Method of restoring a system that cannot be sanitized using manual removal, reinstallation, and monitoring processes Pulling out exact, small bits of data, like performing surgery with a scalpel

Answer 427

UDP scan Sends a UDP packet to a target and waits for a response or timeout

Answer 428

Christmas Tree Scan Conducts scan by sending packet with FIN, PSH and URG flags set to one Lights up IDS "like a Christmas Tree" and is really just a way of seeing if blue team is paying attention

Answer 429

Sends unexpected FIN packet Most IDS/IPS will flag as malicious

Answer 430

TCP connect, conducts full three-way handshake This is the default if you don't have root or admin privileges

Answer 431

Save output to a greppable format

Answer 432

Save output to XML file

Answer 433

Save output normally

Answer 434

Single loss expectancy Asset Value x Exposure Factor = SLE 50,000 x 0.05 (20% likelihood) = $2500

Answer 435

Windows Management Instrumentation Command-Line Program used to review log files on a remote Windows machine, provide users with a terminal interface, and enables admins to run scripts to manage machines remotely

Answer 436

Provides a live view of memory usage per running application or service.

Answer 437

A Windows tool to both see real-time data and graph it over time

Answer 438

Looks at multiple potentially related binaries that have anti-reverse engineering tools run on them and looks for similarities, helping the tool identify malware families despite the protections that malware authors begin.

Answer 439

Threat intelligence is used to provide IP information for rules.

Answer 440

Remote execution of code

Answer 441

Availability rules or alerts

Answer 442

/var/log/auth.log

Answer 443

If files in the directory have changed

Answer 444

Both /etc/passwd and /etc/shadow

Answer 445

Sysinternals tool. GUI based, gives a full view of file system and registry settings and can display either files with permissions that are less restrictive than the parent or any files with permissions that differ from the parent

Answer 446

A command line program that can check the rights a user or group has to resources

Answer 447

Proactive network segmentation

Answer 448

Notification to their acquiring bank

Answer 449

Rebuild and patch the system using original installation media and application software using your organization's build documentation

Answer 450

Encrypt the raw file and transfer a hash and key under separate cover

Answer 451

Ensuring that information is used only for disclosed purposes

Answer 452

This is a difficult method and prone to error. Better methods include use of asset management tool, running a discovery scan, or using results of other recent scans.

Answer 453

Internal and external scanning

Answer 454

Highly formalized, rigorous code review process that involves six phases

Answer 455

SDLC phase that is designed to ensure that data is properly purged at the end of an application life cycle

Answer 456

UAT- User acceptance training

Answer 457

DMARC While SPF and DKIM can help, combining them to limit trusted senders to only a known list and proving that the domain is the domain that is sending the email combine in the form of DMARC to prevent email impersonation when other organizations also DMARC.

Answer 458

Plug the system into an isolated switch and use a span port or tap and Wireshark / tcpdump to capture traffic.

Answer 459

Router and switch-based MAC address reporting

Answer 460

Most powerful mode, it will try all possible character combinations as defined by the settings you enter at the start

Answer 461

Copy the virtual disk files and then use a memory capture tool.

Answer 462

Designed for secure end-to-end messaging. Using a distinct messaging tool for incident response can be helpful to ensure that staff separates incident communication from day-to-day operations.

Answer 463

A tool used to securely wipe files and drives. If eraser is not typically installed on your organization's machines, you should expect that the individual being investigated has engaged in some anti-forensic activities including wiping files that may have been downloaded or used against company policy

Answer 464

Control Objectives for Information and Related Technologies. Consists of four domains: Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate

Answer 465

Percentage of asset expected to be impacted if the risk materializes

Answer 466

7 characters

Answer 467

Quarterly or after any significant change in the network

Answer 468

Logical segmentation

Answer 469

US government standard for information processing, and FIPS 140-2 is used to approve cryptographic modules

Answer 470

Used to allow software defined network controllers to push changes to switches and routers, allowing flow control, network traffic partitioning, and testing of applications and configurations.

Answer 471

Tools that self-extract when run, making the code harder to reverse engineer

Answer 472

Use actual encryption or simply obfuscate the code, making it harder to interpret or read

Answer 473

Software that is intended to prevent reverse engineering and often include packing and encryption techniques as well as other protective technologies

Answer 474

Domain Generation Algorithm Creates procedurally generated domain names for malware command and control hosts

Answer 475

ASLR and the NX bit

Answer 476

file, which shows a file's format, encoding, what libraries it is linked to, and file type

Answer 477

Ophcrack, which uses a rainbow table

Answer 478

Logical acquisition

Answer 479

certutil certutil -hashfile [file location] md5

Answer 480

A network link or route has been repaired

Answer 481

Virtualization lets you run multiple operating systems on a single physical system, whereas containerization lets you run multiple applications on the same system.

Answer 482

Single sign on implementations

Answer 483

A testing file often used by web developers during the initial configuration of a server. Best practice is to remove this file before the server is moved into production or made publicly accessible.

Answer 484

Stands for no execute, used to mark certain areas of memory as non executable