General Flashcards

Question

Root Cause Analysis

Answer 1

Helps understand why important alerts were missed and guides improvements in your alert management system to prevent similar oversights

Answer 2

A common cause of missed security alerts, due to a security team being inundated with an excessive volume of alerts

Answer 3

Access Vector

Answer 4

Access Complexity

Answer 5

Privilege Required

Answer 6

User Interaction

Answer 7

Confidentiality

Answer 8

Availability

Answer 9

A network obstacle is blocking the port so Nmap cannot tell whether it is open or closed

Answer 10

Protects the privacy of an individual's financial information held by financial institutions

Answer 11

Dictates requirements for retaining documents related to an organization's financial and business operations

Answer 12

Lockheed Martin Cyber Killchain; Fails to consider attacker retreat

Answer 13

AT&T Alienvault

Answer 14

User Entity Behavioral Analysis (UEBA) to compare behavior to a known good baseline

Answer 15

A stealthy threat actor, typically a nation-state or state-sponsored, that can remain undetected for an extended period of time EUBA unlikely to detect this kind of threat actor, should be discovered through endpoint analysis

Answer 16

Delimiter for a "whole word"

Answer 17

A threat actor's capability to identify and exploit zero-day vulnerabilities

Answer 18

Refers to the utiliation of commodity malware and techniques (aka script kiddies)

Answer 19

A threat actor's capability to introduce vulnerabilities through the supply chain attacks

Answer 20

Refers to non-cyber tools, such as political or military assets

Answer 21

A mathematical model of the inputs and outputs of a system to prove that the system works as specified in all cases Provides the single greatest mitigation for critical software which cannot have errors (corner cases)

Answer 22

A beta phase of software testing by a limited set of users who report their findings

Answer 23

Intel-designed mecahnism to allow software instructions to blow a transistor in the hardware chip. eFUSE prevents firmware downgrades

Answer 24

Family Education Rights and Privacy Act Privacy act that relates to Education

Answer 25

Diamond, MITRE ATT&CK, AT&T Alienvault

Answer 26

International non-profit organization dedicated to web application security

Answer 27

A legacy transport layer protocol that allows Windows computers to talk to eachother on the same network, and was used as a legacy implementation of SMB on port 139

Answer 28

Line Printer Remote Protocol (TCP 515)

Answer 29

Non Windows printing protocol Utilizes smaller packet headers and requires no further processing by the receiving printer Offers no security and very vulnerable Port 9100

Answer 30

Authentication, access control, and encryption

Answer 31

Collects, analyzes and disseminates information on the status of security systems (internal)

Answer 32

Investigation, collection and dissemination of information about emerging threats and the threat landscape (external)

Answer 33

A reputational threat research intelligence supplier

Answer 34

(USA) Not-for-profit group set up to share sector-specific threat intelligence and security best practices amongst its members. ISACs are available for Critical Infrastructure, Government, Healthcare and other industries.

Answer 35

The UK's alternative to USA's ISACs

Answer 36

Evidence that an intrusion is ongoing

Answer 37

Evidence that an attack has happened

Answer 38

Refers to the correlation of IoCs into attack patterns (killchain)

Answer 39

Structured Threat Information eXpression

Answer 40

Language standard for the dissemination of IOC data via JSON included in the OASIS CTI framework

Answer 41

Trusted Automation eXchange of Indicator Information

Answer 42

Application protocol for exchanging CTI over HTTPS using a REST API

Answer 43

CTI framework developed by Mandiant of XML formatted data to be used in automated incident detection and threat analysis

Answer 44

Malware Information Sharing Project

Answer 45

Cyber Threat Intelligence

Answer 46

A formal classification of the resources and expertise available to a particular threat actor (ie. Acquired or Augmented tools)

Answer 47

The point at which a network or application receives external connections or inputs/outputs that are potential vectors to be exploited by a threat actor

Answer 48

A specific path by which a threat actor gain unauthorized access to a system

Answer 49

Open-source intelligence technique that use Google search operators to locate vulnerable web servers and applications. The Google Hacking Database contains a reference for optimized GH search strings aka "Dorks".

Answer 50

A search engine optimized for identifying vulnerable internet-attached devices

Answer 51

Community-driven database that keeps track of IP addresses reported for abusive behavior

Answer 52

Cisco-developed means of reporting network flow information and metadata to a structured database

Answer 53

Open source IDS/IPS for UNIX/Linux that contains a scripting engine that can be used to act on significant events by generating an alert or executing a process

Answer 54

Method used by malware to evade block lists by dynamically generating domain names for C2 networks, primarily used in a "Fast Flux Network" and usually generates a high volume of NXDOMAIN errors.

Answer 55

Use Secure Recursive DNS Resolvers

Answer 56

Method used by malware to hide the presence of C2 networks by continually changing the host IP addresses in domain records using domain generation algorithms

Answer 57

Condition that occurs when a firewall is under-resourced and cannot log data fast enough, therefore some data is missed

Answer 58

A firewall enumeration technique that sends packets with a TTL of 1 to a variety of ports in an attempt to identify hosts behind an open port

Answer 59

Means of mitigating DoS or intrusion attacks by routing traffic to a null interface, effectively dropping the traffic

Answer 60

DoS attack mitigation strategy that directs the traffic that is flooding a target IP address to a different network for analysis

Answer 61

Unused physical network ports or unused IP address space within a local network often used by attackers

Answer 62

A server that receives traffic and sends (forwards) it to another network. Can filter or modify data in the process of forwarding.

Answer 63

A type of proxy server that protects servers from direct contact with client requests

Answer 64

A type of proxy that requires explicit clientside configuration that a user is generally aware of

Answer 65

A proxy server that redirects requests and responses without the client being explicitly configured to use it

Answer 66

A firewall designed specifically to protect software running on webservers and their backend databases from code injection and DoS attacks

Answer 67

IDS or IPS/SIEM

Answer 68

Open source Linux-based platform for security monitoring, incident response, and threat hunting that bundles Snort, Suricata, Zeek, Wireshark and NetworkMiner, and other log and incident management tools

Answer 69

Security measures applied to physical or logical ports on a networked device

Answer 70

Advanced Threat Protection (ATP), Advanced Endpoint Protection (AEP), NextGen AV (NGAV)

Answer 71

A malware analysis sandbox for Windows binaries

Answer 72

Malware analysis VM for Linux, Windows and Mac binaries

Answer 73

Malware sandbox tool that performs some automated malware classification and accepts Windows, Linux, Mac and Android binaries

Answer 74

The first two bytes of a binary header that indicates its file type. FileSignatures.net serves as a resource for information on Magic Numbers.

Answer 75

The first two bytes of an executable binary, AKA MZ in ASCII.

Answer 76

An executable self-extracting archive

Answer 77

Replaces a genuine executable with a malicious one

Answer 78

Exploits a programs manifest to load a malicious DLL at runtime

Answer 79

Dropper starts a process in a suspended state and rewrites the memory locations for the program with malware code

Answer 80

Any lightweight code designed to run an exploit on a target

Answer 81

Program for identifying, classifying and describing malware samples. Commonly used for analyzing pcaps against Yara rules.

Answer 82

A standardized language for sharing structured information about malware that is copmlementary to STIX and TAXII to improve the automated sharing of threat intelligence

Answer 83

Mail User Agent

Answer 84

Mail Delivery Agent

Answer 85

Message Transfer Agent

Answer 86

Multipurpose Internet Mail Extensions

Answer 87

Allows a body of an email to support different formats, such as HTML, RTF, encoded binary and attachments

Answer 88

Message data that contains scripts or objects that target some vulnerability in the message client

Answer 89

Email encryption standard that adds digital signatures and public key cryptography to traditional MIME communications

Answer 90

Sender Policy Framework

Answer 91

Single DNS record identifying hosts authorized to send mail for the domain that can include other SPF records (Ex: TXT @ v=spf1 mx include:_spf.google.com include:email.domain.com -all)

Answer 92

DomainKeys Identified Mail

Answer 93

Provides a cryptgoraphic authentication mechanism for mail utilizing a public key published as DNS record, performed serverside (Ex: v=DKIM1;k=rsa;p=PublicKeyGoesHere)

Answer 94

Domain-Based Message Authentication, Reporting and Conformance

Answer 95

Framework for ensuring proper application of SPF and DKIM utilizing a policy published as a DNS record (Ex: v=DMARC1; p=reject; sp=reject; pct=100; rua=mailto:user@ex.domain.tld; ruf=mailto:user@ruf.domain.tld; fo=1)

Answer 96

A solution that provides real time or near real time analysis of security alerts generated by network hardware and appliances

Answer 97

Process where data is reformatted or restructured to facilitate the scanning and analysis process

Answer 98

Windows alternative to grep

Answer 99

CLI for the administration of Windows systems using WMI, often used for reviewing log files on a remote machine

Answer 100

Digital forensics case management suite that provides workflows to assist in investigations

Answer 101

Digital forensics investigation suite for Windows which can utilize server clustering for faster processing speeds

Answer 102

Commandline utilities for imaging and file analysis that interfaces with Autopsy

Answer 103

The process of extracting data from a computer when that data has no associated file system metadata

Answer 104

A table that contains metadata with the location of each file in terms of blocks/clusters for disks formatted as NTFS (FAT uses a File Allocation Table instead)

Answer 105

Open source CLI tool included in Sleuth Kit/Autopsy that is used to conduct file carving on Linux and Windows

Answer 106

An IOC where data is transmitted with a hidden element, such as non standard data inside of a ping packet

Answer 107

Distributed Reflection DoS

Answer 108

Means for a network node to advertise its presence and establish a link with other nodes, often seen in specified intervals

Answer 109

When a website experiences DoS conditions due to sudden popularity

Answer 110

Occurs when an attacker redirects an IP to a MAC that was not its intended destination, best remediated by an IDS

Answer 111

Phase of an attack or penetration test in which the attacker or tester gathers information about the target before attacking it

Answer 112

49,152 - 65,535

Answer 113

The usage of commonly used programs to exfiltrate data, such as IM, SMS, Email, FTP or P2P programs

Answer 114

The exfiltration of data using covert techniques such as data segmentation, obfuscation and encoding, with the aim of evading detection

Answer 115

Linux command that provides the parent/child relationship of all the processes on a system

Answer 116

Linux command that lists the attributes of all the current processes

Answer 117

A Linux Init daemon

Answer 118

Linux equivalent of a DLL

Answer 119

A means of exploiting a vulnerability in an application to execute arbitrary code or to crash the process with a memory leak

Answer 120

A file that records the names of applications that have been run, as well as the date and time, file path, run count and DLLs used by the executable

Answer 121

An application usage cache that is stored in the Registry as the key. (Ex. HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache) Often used for applications that require specialized compatibility settings.

Answer 122

An application usage cache that is stored as a hive file (Ex. C:\Windows\appcompat\Programs\Amcache.hve)

Answer 123

The ability of a threat actor to maintain covert access to a target host or network

Answer 124

Tool that manages cron jobs, the Linux equivalent of scheduled tasks. "crontab -l" lists the currently scheduled cron jobs

Answer 125

Software for evidence extraction from smartphones and other mobile devices, cloud data and metadata using a universal forensic extraction device (UFED)

Answer 126

Mobile device forensics tools created by AccessData, the developers of FTK

Answer 127

Mobile device forensics tool created by Guidance Software, the developers of EnCase

Answer 128

Using an infected host to attack another host (Using SSH with the -D flag, you can set up a local proxy and port forwarding on a target)

Answer 129

Network based attack where the attacker steals hashed user credentials and uses them as is to try to authenticate to the same network the hashed credentials originated on. Only use Domain Admin accounts for logging into Domain Controllers to prevent pass the hash exploits

Answer 130

A Kerberos ticket that can grant other tickets in an Active Directory environment (AKA TGT). Admins should regularly change the krbtgt account password.

Answer 131

The trust anchor of the AD domain which functions like a private key of a RCA (root cert authority) and generates ticket-granting tickets (TGT) that are used by users to access services within Kerberos

Answer 132

The plans and processes used during the response to a disruptive event

Answer 133

The plans used during the event of a disaster

Answer 134

An exercise that tests a framework of controls using an incident scenario conducted by a "red team"

Answer 135

A military decision making model created to help responders think clearly in the "fog of war", consisting of Observe, Orient, Decide and Act

Answer 136

Removes an affected component from a larger environment

Answer 137

Achieves the isolation of a host or group of hosts using network technologies and architecture

Answer 138

Group of procedures that an organization uses to govern the disposal of obsolete information and equipment

Answer 139

The comprehensive process of evaluating, measuring, and mitigating the many risks that pervade an organization, usually as defined by business stakeholders rather than engineers

Answer 140

Metric to determine the expected financial loss from a single event. SLE = AV * EF, (Asset Value * Exposure Factor)

Answer 141

Asset Value, Monetary value of the asset

Answer 142

Exposure Factor, The percentage of loss that would result

Answer 143

Number of times per year that a specific threat is expected to occur

Answer 144

Expected financial loss for multiple events during a year

Answer 145

A systemic activity that identifies organizational risks and determines their effect on ongoing mission critical operations

Answer 146

The longest period of time a business can be inoperable without causing irrevocable business failure

Answer 147

Length of time it takes after an event to resume normal business operations and activities

Answer 148

The length of time in addition to the RTO of individual systems to perform reintegration and testing of a restored or upgraded system

Answer 149

The longest period of time that an organization can tolerate lost data being unrecoverable

Answer 150

Response that involves moving or sharing the responsibility of a risk to another entity, usually involving insurance

Answer 151

Response that reduces a risk to fit within an organization's risk appetite

Answer 152

Ceasing an activity that presents risk

Answer 153

Document highlighting the results of risk assessments in an easily comprehensible format that is disseminated to stakeholders

Answer 154

Includes the ethernet header during packet capture.

Answer 155

Displays the IP addresses in numeric form

Answer 156

Line buffered mode

Answer 157

Packet buffered mode

Answer 158

Listen only on a specified port

Answer 159

Print each packet in ASCII

Answer 160

Set snap length (0 for unlimited, all traffic)

Answer 161

Set buffer size

Answer 162

Limit captured packets to provided value (e.g. 20 packets)

Answer 163

"AND", &&, "OR", ||, "NOT", !

Answer 164

Automated building and testing of an application after it's source code has been updated

Answer 165

Delivers the newest version of an application to a production or testing environment, which can then be approved for release by a human

Answer 166

All changes to code that pass CI/CD checks are automatically released without the need for human intervention

Answer 167

Constant evaluation of an environment for changes to quickly detect new risks and improve business operations

Answer 168

Captures specified data that is determined to be useful, rather than collecting all data

Answer 169

TLS was developed in 1999 as SSLv3.1 before being renamed to TLS and the two terms are often used interchangably although SSL is not considered to be secure

Answer 170

Web application scanner

Answer 171

Infrastructure vulnerability scanner

Answer 172

Infrastructure vulnerability scanner

Answer 173

Infrastructure vulnerability scanner

Answer 174

Translates special characters into an encoded form that isn't dangerous to the target system (Ex: < to < in HTML)

Answer 175

Ensures data entering a system is formatted as expected

Answer 176

Layering various technical controls to further secure infrastructure

Answer 177

Commonly used to bypass detection mechanisms in a network, and will commonly end with two equal signs (Ex. aGVsbG8gd29ybGQNCg==)

Answer 178

Run Subkey (HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE \Software\Microsoft\Windows\CurrentVersion\Run)

Answer 179

TCP connect scan

Answer 180

Service discovery scan

Answer 181

Scan ports, no ping

Answer 182

Scan port or port range

Answer 183

Scan all ports on system

Answer 184

Fast port scan

Answer 185

Syn Port Scan, Only performs a partial connection and thus does not reveal you to your target

Answer 186

TCP Connect Scan, Detects open TCP ports

Answer 187

UDP Port Scan, Detects open UDP ports

Answer 188

Ack Port Scan, Detects if a port is stateful and/or filtered

Answer 189

Performs host discovery but does not scan any ports (use for quick scans)

Answer 190

Performs ARP discovery on a local network

Answer 191

Does not resolve DNS, speeds up some scans

Answer 192

Aggression Detection Mode, which is a combination of OS and service discovery

Answer 193

OS Detection

Answer 194

Output Normal

Answer 195

Output XML

Answer 196

Output Greppable

Answer 197

Output All (types)

Answer 198

When an attacker uses a common password(s) to attempt to access multiple accounts

Answer 199

The automated injection of stolen username and password pairs (credentials) to an authentication system

Answer 200

Device Drivers (Most privileged)

Answer 201

Device Drivers (Less privileged)

Answer 202

Applications

Answer 203

A method of sanitizing by physical destruction of the media via shredding, incineration or degaussing

Answer 204

Overwriting data once with repetitive data, or resetting a device to factory settings

Answer 205

Eliminating information from being feasibly recovered even in a laboratory environment

Answer 206

Static code analyzer

Answer 207

File integrity monitoring program

Answer 208

Authenticate claims, not to authenticate users. It's a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user.

Answer 209

OIDC is an identity authentication protocol that is an extension of open authorization (OAuth) 2.0 to standardize the process for authenticating and authorizing users when they sign in to access digital services.

Answer 210

Domain Generation Algorithm

Answer 211

Security Content Automation Protocol

Answer 212

A method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization

Answer 213

The Open Group Architecture Framework

Answer 214

A prescriptive framework that divides the enterprise architecture into four domains: Technical, Business, Applications and Data

Answer 215

Re-running functional and non-functional tests to ensure that previously developed and tested software still performs after a change

Answer 216

which bash

Answer 217

NIST’s SP 800-63-3 recommends SMS be depreciated for MFA, as it may be accessible to attackers

Answer 218

Property Lists (plists)

Answer 219

Used to manage network resources

Answer 220

Used to manage domain groups

Answer 221

Adds or removes a computer from a domain (ran on primary DC)

Answer 222

OWASP Zed Attack Proxy

Answer 223

The worlds most popular FOSS web application scanner

Answer 224

Windows Scheduler command

Answer 225

Older location for Linux startup services configuration. Potential location for evidence of a backdoor.

Answer 226

FPGAs are often used to provide "Physically Unclonable Functions" (PUFs) that generate a digital fingerprint based on unique features of a device

Answer 227

XML External Entity

Answer 228

Type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.

Answer 229

1. Security 2. Pre-EFI initialization 3. Driver Execution Environment 4. Boot Device Select 5. Transient System Load 6. Runtime

Answer 230

Validates a user's identity when using SAML for authentication

Answer 231

Provide services to members of a federation (SAML)

Answer 232

Federal Information Security Management Act

Answer 233

United States federal law that defines a comprehensive framework to protect government information, operations, and assets (Compliance)

General Flashcards

(267 cards)