Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

SEC 160 Security Administration > Modules 13-17: Threats and Attacks > Flashcards

Modules 13-17: Threats and Attacks Flashcards

1
Q

What are two methods used by cybercriminals to mask dns attacks? (choose two.)

Domain generation algorithms

Reflection

Fast flux

Shadowing

Tunneling

A
  • Domain generation algorithms
  • Fast flux

Fast flux is a technique used to hide phishing and malware delivery sites behind a quickly-changing network of compromised DNS hosts (bots within botnets). The double IP flux technique rapidly changes the hostname to IP address mappings and the authoritative name server.

Domain generation algorithms randomly generate domain names to be used as rendezvous points.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which network tool uses artificial intelligence to detect incidents and aid in incident analysis and response?

SIEM

Wireshark

NetFlow

SOAR

A

SOAR

SOAR works with SIEMs systems, where SIEM can detect a malicious activity and SOAR helps to respond to the threat. SOAR has many functions and benefits, including these abilities:

The use of predefined playbooks to enable automatic response to specific threats

The use of artificial intelligence to detect incidents and aid in incident analysis and response

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A user is curious about how someone might know a computer has been infected with malware. What are two common malware behaviors? (choose two.)

The computer emits a hissing sound every time the pencil sharpener is used.

The computer beeps once during the boot process.

The computer gets increasingly slower to respond.

No sound emits when an audio cd is played.

The computer freezes and requires reboots.

A
  1. The computer gets increasingly slower to respond.
  2. The computer freezes and requires reboots.

Other symptoms:

  • Appearance of files, applications, or desktop icons
  • Security tools such as antivirus software or firewalls turned off or changed
  • System crashes
  • Emails spontaneously sent to others
  • Modified or missing files
  • Slow system or browser response
  • Unfamiliar processes or services running
  • Unknown tcp or udp ports open
  • Connections made to unknown remote devices
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Why would a rootkit be used by a hacker?

to try to guess a password

to reverse engineer binary files

to gain access to a device without being detected

to do reconnaissance

A

to gain access to a device without being detected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which protocol is attacked when a cybercriminal provides an invalid gateway in order to create a man-in-the-middle attack?

ICMP

DNS

DHCP

HTTP or HTTPS

A

DHCP

A cybercriminal could set up a rogue DHCP server that provides one or more of the following:

Wrong default gateway that is used to create a man-in-the-middle attack and allow the attacker to intercept data

Wrong DNS server that results in the user being sent to a malicious website

Invalid default gateway IP address that results in a denial of service attack on the DHCP client

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the result of a DHCP starvation attack?

Clients receive IP address assignments from a rogue DHCP server.

The IP addresses assigned to legitimate clients are hijacked.

The attacker provides incorrect DNS and default gateway information to clients.

Legitimate clients are unable to lease IP addresses.

A

Legitimate clients are unable to lease IP addresses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A company has contracted with a network security firm to help identify the vulnerabilities of the corporate network. The firm sends a team to perform penetration tests to the company network. Why would the team use applications such as Nmap, SuperScan, and Angry IP Scanner?

to probe network devices, servers, and hosts for open TCP or UDP ports

to reverse engineer binary files when writing exploits and when analyzing malware

to detect installed tools within files and directories that provide threat actors remote access and control over a computer or network

to detect any evidence of a hack or malware in a computer or network

A

to probe network devices, servers, and hosts for open TCP or UDP ports

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which attack involves threat actors positioning themselves between a source and destination with the intent of transparently monitoring, capturing, and controlling the communication?

DoS attack

ICMP attack

SYN flood attack

man-in-the-middle attack

A

man-in-the-middle attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What technique is a security attack that depletes the pool of IP addresses available for legitimate hosts?

reconnaissance attack

DHCP starvation

DHCP spoofing

DHCP snooping

A

DHCP starvation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

To which category of security attacks does man-in-the-middle belong?

access

social engineering

reconnaissance

DoS

A

access

With a man-in-the-middle attack, a threat actor is positioned in between two legitimate entities in order to read, modify, or redirect the data that passes between the two parties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How do cybercriminals make use of a malicious iFrame?

The attacker embeds malicious content in business appropriate files.

The iFrame allows multiple DNS subdomains to be used.

The attacker redirects traffic to an incorrect DNS server.

The iFrame allows the browser to load a web page from another source.

A

The iFrame allows the browser to load a web page from another source.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which field in the IPv6 header points to optional network layer information that is carried in the IPv6 packet?

traffic class

version

flow label

next header

A

Next Header

Optional Layer 3 information about fragmentation, security, and mobility is carried inside of extension headers in an IPv6 packet. The next header field of the IPv6 header acts as a pointer to these optional extension headers if they are present.

https://www.youtube.com/watch?v=58S_W-KuES8

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which field in the IPv4 header is used to prevent a packet from traversing a network endlessly?

Time-to-Live

Sequence Number

Differentiated Services

Acknowledgment Number

A

The value of the Time-to-Live (TTL) field in the IPv4 header is used to limit the lifetime of a packet.

The sending host sets the initial TTL value; which is decreased by one each time the packet is processed by a router.

If the TTL field decrements to zero, the router discards the packet and sends an Internet Control Message Protocol (ICMP) Time Exceeded message to the source IP address.

The Differentiated Services (DS) field is used to determine the priority of each packet.

Sequence Number and Acknowledgment Number are two fields in the TCP header.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the purpose of a reconnaissance attack on a computer network?

to prevent users from accessing network resources

to gather information about the target network and system

to steal data from the network servers

to redirect data traffic so that it can be monitored

A

to gather information about the target network and system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A user receives a phone call from a person who claims to represent IT services and then asks that user for confirmation of username and password for auditing purposes. Which security threat does this phone call represent?

social engineering

spam

anonymous keylogging

DDoS

A

social engineering

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which statement describes the term attack surface?

It is the network interface where attacks originate.

It is the total number of attacks toward an organization within a day.

It is the group of hosts that experiences the same attack.

It is the total sum of vulnerabilities in a system that is accessible to an attacker.

A

It is the total sum of vulnerabilities in a system that is accessible to an attacker.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which action best describes a MAC address spoofing attack?

flooding the LAN with excessive traffic
bombarding a switch with

fake source MAC addresses

altering the MAC address of an attacking host to match that of a legitimate host

forcing the election of a rogue root bridge

A

altering the MAC address of an attacking host to match that of a legitimate host

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which type of network attack involves randomly opening many Telnet requests to a router and results in a valid network administrator not being able to access the device?

DNS poisoning

man-in-the-middle

SYN flooding

spoofing

A

SYN flooding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A threat actor uses a program to launch an attack by sending a flood of UDP packets to a server on the network.

The program sweeps through all of the known ports trying to find closed ports. It causes the server to reply with an ICMP port unreachable message and is similar to a DoS attack.

Which two programs could be used by the threat actor to launch the attack? (Choose two.)

WireShark

ping

Low Orbit Ion Cannon

UDP Unicorn

Smurf

A
  • Low Orbit Ion Cannon
  • UDP Unicorn

A threat actor can use a tool like UDP Unicorn or Low Orbit Ion Cannon to send a flood of UDP packets to launch a UDP flood attack that causes all the resources on a network to become consumed.

These types of programs will sweep through all the known ports trying to find closed ports. This causes the server to reply with an ICMP port unreachable message.

Because of the many closed ports on the server, there is so much traffic on the segment that almost all the bandwidth gets used. The end result is very similar to a DoS attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which two types of hackers are typically classified as grey hat hackers? (Choose two.)

hacktivists

cyber criminals

vulnerability brokers

script kiddies

state-sponsored hackers

A
  • Hacktivists
  • Vulnerability brokers

Grey hat hackers may do unethical or illegal things, but not for personal gain or to cause damage.

Vulnerability brokers hack to uncover weaknesses and report them to vendors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which network monitoring capability is provided by using SPAN?

Real-time reporting and long-term analysis of security events are enabled.

Statistics on packets flowing through Cisco routers and multilayer switches can be captured.

Network analysts are able to access network device log files and to monitor network behavior.

Traffic exiting and entering a switch is copied to a network monitoring device.

A

Traffic exiting and entering a switch is copied to a network monitoring device.

When enabled on a switch, SPAN or port mirroring, copies frames that are sent and received by the switch and forwards them to another port, known as a Switch Port ANalyzer port, which has a analysis device attached.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are the three major components of a worm attack? (choose three.)

A payload

A propagation mechanism

An infecting vulnerability

A probing mechanism

An enabling vulnerability

A penetration mechanism

A

A payload

A propagation mechanism

An enabling vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Match the security concept to the description.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

A network administrator is checking the system logs and notices unusual connectivity tests to multiple well-known ports on a server. What kind of potential network attack could this indicate?

reconnaissance

access

denial of service

information theft

A

reconnaissance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Users in a company have complained about network performance. After investigation, the IT staff has determined that an attacker has used a specific technique that affects the TCP three-way handshake. What is the name of this type of network attack?

DNS poisoning

session hijacking

SYN flood

DDoS

A

SYN flood

The TCP SYN flood attack exploits the TCP three-way handshake. The threat actor continually sends TCP SYN session request packets with a randomly spoofed source IP address to an intended target.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Why would an attacker want to spoof a MAC address?

so that the attacker can capture traffic from multiple VLANs rather than from just the VLAN that is assigned to the port to which the attacker device is attached

so that a switch on the LAN will start forwarding frames to the attacker instead of to the legitimate host

so that a switch on the LAN will start forwarding all frames toward the device that is under control of the attacker (that can then capture the LAN traffic)

so that the attacker can launch another type of attack in order to gain access to the switch

A

so that a switch on the LAN will start forwarding frames to the attacker instead of to the legitimate host

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Which type of security threat would be responsible if a spreadsheet add-on disables the local software firewall?

DoS

Trojan horse

buffer overflow

brute-force attack

A

Trojan horse

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which field in an IPv6 packet is used by the router to determine if a packet has expired and should be dropped?

TTL

No Route to Destination

Hop Limit

Address Unreachable

A

Hop Limit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What is a vulnerability that allows criminals to inject scripts into web pages viewed by users?

Cross-site scripting

XML injection

buffer overflow

SQL injection

A

Cross-site scripting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

An attacker is redirecting traffic to a false default gateway in an attempt to intercept the data traffic of a switched network. What type of attack could achieve this?

MAC address snooping

DHCP spoofing

DHCP snooping

MAC address starvation

A

DHCP spoofing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What is the term used when a malicious party sends a fraudulent email disguised as being from a legitimate, trusted source?

backdoor

vishing

Trojan

phishing

A

phishing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What causes a buffer overflow?

sending too much information to two or more interfaces of the same device, thereby causing dropped packets

attempting to write more data to a memory location than that location can hold

sending repeated connections such as Telnet to a particular device, thus denying other data sources

downloading and installing too many software updates at one time

launching a security countermeasure to mitigate a Trojan horse

A

attempting to write more data to a memory location than that location can hold

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What would be the target of an SQL injection attack?

DHCP

DNS

email

database

A

database

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

The IT department is reporting that a company web server is receiving an abnormally high number of web page requests from different locations simultaneously. Which type of security attack is occurring?

social engineering

adware

phishing

spyware

DDoS

A

DDoS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Which statement describes an operational characteristic of NetFlow?

NetFlow can provide services for user access control.

NetFlow captures the entire contents of a packet.

NetFlow flow records can be viewed by the tcpdump tool.

NetFlow collects basic information about the packet flow, not the flow data itself.

A

NetFlow collects basic information about the packet flow, not the flow data itself.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Which term is used for bulk advertising emails flooded to as many end users as possible?

spam

adware

brute force

phishing

A

spam

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Which is an example of social engineering?

an unidentified person claiming to be a technician collecting user information from employees

a computer displaying unauthorized pop-ups and adware

an anonymous programmer directing a DDoS attack on a data center

the infection of a computer by a virus carried by a Trojan

A

an unidentified person claiming to be a technician collecting user information from employees

38
Q

Which tool is used to provide a list of open ports on network devices?

Ping

Nmap

Whois

Tracert

A

Nmap

39
Q

What are two purposes of launching a reconnaissance attack on a network? (Choose two.)

to escalate access privileges

to gather information about the network and devices

to prevent other users from accessing the system

to scan for accessibility

to retrieve and modify data

A

to scan for accessibility

to gather information about the network and devices

40
Q

What is the best description of Trojan horse malware?

It is software that causes annoying but not fatal computer problems.

It is the most easily detected form of malware.

It appears as useful software but hides malicious code.

It is malware that can only be distributed over the Internet.

A

It appears as useful software but hides malicious code.

41
Q

A white hat hacker is using a security tool called Skipfish to discover the vulnerabilities of a computer system. What type of tool is this?

debugger

fuzzer

vulnerability scanner

packet sniffer

A

Fuzzer

Fuzzers are tools used by threat actors to discover a computer’s security vulnerabilities. Examples include Skipfish, Wapiti, and W3af. These tools are used by white hat hackers to sniff out any trace of evidence existing in a computer.

42
Q

Which type of security attack would attempt a buffer overflow?

ransomware

reconnaissance

DoS

scareware

A

DoS

43
Q

Which type of attack is carried out by threat actors against a network to determine which IP addresses, protocols, and ports are allowed by ACLs?

social engineering

denial of service

phishing

reconnaissance

A

reconnaissance

44
Q

Which type of Trojan horse security breach uses the computer of the victim as the source device to launch other attacks?

proxy

FTP

DoS

data-sending

A

proxy

45
Q

In which type of attack is falsified information used to redirect users to malicious Internet sites?

domain generation

ARP cache poisoning

DNS amplification and reflection

DNS cache poisoning

A

DNS cache poisoning

46
Q

Which statement describes cybersecurity?

It is a framework for security policy development.

It is an ongoing effort to protect Internet-connected systems and the data associated with those systems from unauthorized use or harm.

It is a standard-based model for developing firewall technologies to fight against cybercriminals.

It is the name of a comprehensive security application for end users to protect workstations from being attacked.

A

It is an ongoing effort to protect Internet-connected systems and the data associated with those systems from unauthorized use or harm

47
Q

What is an essential function of SIEM?

forwarding traffic and physical layer errors to an analysis device

providing reporting and analysis of security events

monitoring traffic and comparing it against the configured rules

providing 24×7 statistics on packets flowing through a Cisco router or multilayer switch

A

providing reporting and analysis of security events

SIEM provides real-time reporting and analysis of security events. SIEM provides administrators with details on sources of suspicious activity such as user information, device location, and compliance with security policies.

48
Q

Which two types of attacks are examples of reconnaissance attacks? (choose two.)

Brute force

Port scan

Ping sweep

Man-in-the-middle

Syn flood

A

port scan

ping sweep

49
Q

How is optional network layer information carried by IPv6 packets?

inside an extension header attached to the main IPv6 packet header

inside an options field that is part of the IPv6 packet header

inside the Flow Label field

inside the payload carried by the IPv6 packet

A

inside an extension header attached to the main IPv6 packet header

50
Q

What kind of ICMP message can be used by threat actors to create a man-in-the-middle attack?

ICMP echo request

ICMP unreachable

ICMP redirects

ICMP mask reply

A

ICMP redirects.

Common ICMP messages of interest to threat actors include the following:

ICMP echo request and echo reply: used to perform host verification and DoS attacks

ICMP unreachable: used to perform network reconnaissance and scanning attacks

ICMP mask reply: used to map an internal IP network

ICMP redirects: used to lure a target host into sending all traffic through a compromised device and create a man-in-the-middle attack

ICMP router discovery: used to inject bogus route entries into the routing table of a target host

51
Q

Which two characteristics describe a virus? (Choose two.)

Malicious code that can remain dormant before executing an unwanted action.

Malware that executes arbitrary code and installs copies of itself in memory.

Malware that relies on the action of a user or a program to activate.

Program code specifically designed to corrupt memory in network devices.

A self-replicating attack that is independently launched.

A

Malicious code that can remain dormant before executing an unwanted action.

Malware that relies on the action of a user or a program to activate.

52
Q

A threat actor wants to interrupt a normal TCP communication between two hosts by sending a spoofed packet to both endpoints. Which TCP option bit would the threat actor set in the spoofed packet?

SYN

ACK

RST

FIN

A

RST

A TCP reset attack can be used to terminate TCP communications between two hosts by sending a spoofed TCP RST packet.

A TCP connection is torn down when it receives an RST bit.

53
Q

What is the primary goal of a DoS attack?

to scan the data on the target server

to prevent the target server from being able to handle additional requests

to obtain all addresses in the address book within the server

to facilitate access to external networks

A

to prevent the target server from being able to handle additional requests

54
Q

What is the goal of a white hat hacker?

protecting data

validating data

modifying data

stealing data

A

protecting data

55
Q

In what type of attack is a cybercriminal attempting to prevent legitimate users from accessing network services?

DoS

session hijacking

MITM

address spoofing

A

DoS

56
Q

What are two evasion methods used by hackers? (Choose two.)

scanning

access attack

resource exhaustion

phishing

encryption

A
  • Encryption
  • Resource Exhaustion
57
Q

What functionality is provided by Cisco SPAN in a switched network?

It mirrors traffic that passes through a switch port or VLAN to another port for traffic analysis.

It prevents traffic on a LAN from being disrupted by a broadcast storm.

It protects the switched network from receiving BPDUs on ports that should not be receiving them.

It copies traffic that passes through a switch interface and sends the data directly to a syslog or SNMP server for analysis.

It inspects voice protocols to ensure that SIP, SCCP, H.323, and MGCP requests conform to voice standards.

It mitigates MAC address overflow attacks.

A

It mirrors traffic that passes through a switch port or VLAN to another port for traffic analysis.

58
Q

Which term describes a field in the IPv4 packet header used to detect corruption in the IPv4 header?

TTL

source IPv4 address

protocol

header checksum

A

header checksum

59
Q

Which two characteristics describe a worm? (Choose two)

travels to new computers without any intervention or knowledge of the use

infects computers by attaching to software code

hides in a dormant state until needed by an attacker

is self-replicating

executes when software is run on a computer

A

is self-replicating

travels to new computers without any intervention or knowledge of the user

60
Q

What are two examples of DoS attacks? (Choose two.)

SQL injection

ping of death

port scanning

phishing

buffer overflow

A

buffer overflow

ping of death

61
Q

Match the security tool with the description. (Not all options apply.)

A
62
Q

What focus describes a characteristic of an indicator of attack (IOA)?

It focuses more on threat avoidance after an attack and the potential cost implications.

It focuses more on the risk management strategies after an attack and compromise of systems.

It focuses more on the motivation behind an attack and the means used to compromise vulnerabilities to gain access to assets.

It focuses more on the mitigation after an attack and the potential compromised vulnerabilities.

A

It focuses more on the motivation behind an attack and the means used to compromise vulnerabilities to gain access to assets.

63
Q

What is an objective of a DHCP spoofing attack?

to intercept DHCP messages and alter the information before sending to DHCP clients

to gain illegal access to a DHCP server and modify its configuration

to provide false DNS server addresses to DHCP clients so that visits to a
legitimate web server are directed to a fake server

to attack a DHCP server and make it unable to provide valid IP addresses to DHCP clients

A

to provide false DNS server addresses to DHCP clients so that visits to a
legitimate web server are directed to a fake server

64
Q

What Is The Significant Characteristic Of Worm Malware?

  • Worm Malware Disguises Itself As Legitimate Software.
  • Once Installed On A Host System, A Worm Does Not Replicate Itself.
  • A Worm Must Be Triggered By An Event On The Host System.
  • A Worm Can Execute Independently Of The Host System
A

A Worm Can Execute Independently Of The Host System.

Explanation: Worm Malware Can Execute And Copy Itself Without Being Triggered By A Host Program. It Is A Significant Network And Internet Security Threat.

65
Q

What is a characteristic of a DNS amplification and reflection attack?

Threat actors hide their phishing and malware delivery sites behind a quickly-changing network of compromised DNS hosts.

Threat actors use malware to randomly generate domain names to act as rendezvous points.

Threat actors use DNS open resolvers to increase the volume of attacks and to hide the true source of an attack.

Threat actors use a DoS attack that consumes the resources of the DNS open resolvers.

A

Threat actors use DNS open resolvers to increase the volume of attacks and to hide the true source of an attack.

66
Q

What is the result of a passive ARP poisoning attack?

Data is modified in transit or malicious data is inserted in transit.

Network clients experience a denial of service.

Confidential information is stolen.

Multiple subdomains are created.

A

Confidential information is stolen.

67
Q

An administrator discovers a vulnerability in the network. On analysis of the vulnerability the administrator decides the cost of managing the risk outweighs the cost of the risk itself. The risk is accepted, and no action is taken.

What risk management strategy has been adopted?

risk transfer

risk acceptance

risk reduction

risk avoidance

A

risk acceptance

68
Q

Which type of DNS attack involves the cybercriminal compromising a parent domain and creating multiple subdomains to be used during the attacks?

shadowing

cache poisoning

tunneling

amplification and reflection

A

shadowing

69
Q

Which two attacks target web servers through exploiting possible vulnerabilities of input functions used by an application? (Choose two.)

  • SQL injection
  • Port scanning
  • Cross-site scripting
  • Port redirection
  • Trust exploitation
A

SQL injection
Cross-site scripting

70
Q

What is the main goal of using different evasion techniques by threat actors?

to launch DDoS attacks on targets

to identify vulnerabilities of target systems

to gain the trust of a corporate employee in an effort to obtain credentials

to prevent detection by network and host defenses

A

to prevent detection by network and host defenses

71
Q

What scenario describes a vulnerability broker?

a teenager running existing scripts, tools, and exploits, to cause harm, but typically not for profit

a threat actor attempting to discover exploits and report them to vendors, sometimes for prizes or rewards

a threat actor publicly protesting against governments by posting articles and leaking sensitive information

a State-Sponsored threat actor who steals government secrets and sabotages networks of foreign governments

A

a threat actor attempting to discover exploits and report them to vendors, sometimes for prizes or rewards

72
Q

Once a cyber threat has been verified, the US Cybersecurity Infrastructure and Security Agency (CISA) automatically shares the cybersecurity information with public and private organizations. What is this automated system called?

  • ENISA
  • NCSA
  • NCASM
  • AIS
A

Automated Indicator Sharing (AIS) is a service the Cybersecurity and Infrastructure Security Agency (CISA) provides to enable real-time exchange of machine-readable cyber threat indicators and defensive measures between public and private-sector organizations.

AIS helps to protect the participants of the service and ultimately reduce the prevalence of cyberattacks.

73
Q

Which capability is provided by the aggregation function in SIEM?

  • reducing the volume of event data by consolidating duplicate event records
  • increasing speed of detection and reaction to security threats by examining logs from many systems and applications
  • presenting correlated and aggregated event data in real-time monitoring
  • searching logs and event records of multiple sources for more complete forensic analysis
A

reducing the volume of event data by consolidating duplicate event records

74
Q

Which risk management strategy requires careful evaluation of the costs of loss, the mitigation strategy, and the benefits gained from the operation or activity that is at risk?

risk avoidance

risk transfer

risk reduction

risk acceptance

A

risk reduction

75
Q

An attacker is using a laptop as a rogue access point to capture all network traffic from a targeted user. Which type of attack is this?

man in the middle

port redirection

buffer overflow

trust exploitation

A

man in the middle

man-in-the-middle is an unauthorized device positioned between two legitimate devices in order to redirect or capture traffic

76
Q

Which two functions are provided by NetFlow? (Choose two.)

It uses artificial intelligence to detect incidents and aid in incident analysis and response.

It provides a complete audit trail of basic information about every IP flow forwarded on a device.

It provides 24×7 statistics on packets that flow through a Cisco router or multilayer switch.

It allows an administrator to capture real-time network traffic and analyze the entire contents of packets.

It presents correlated and aggregated event data in real-time monitoring and long-term summaries.

A

It provides a complete audit trail of basic information about every IP flow forwarded on a device.

It provides 24×7 statistics on packets that flow through a Cisco router or multilayer switch.

77
Q

What is the function of a gratuitous ARP sent by a networked device when it boots up?

  • To request the IP address of the connected network
  • To advise connected devices of its mac address
  • To request the Netbios name of the connected system
  • To request the mac address of the DNS server
A

To advise connected devices of its mac address

78
Q

What kind of ICMP message can be used by threat actors to map an internal IP network?

ICMP echo request

ICMP redirects

ICMP router discovery

ICMP mask reply

A

ICMP mask reply

79
Q

Which protocol is exploited by cybercriminals who create malicious iFrames?

HTTP

DNS

ARP

DHCP

A

HTTP

80
Q

Which SIEM function is associated with examining the logs and events of multiple systems to reduce the amount of time of detecting and reacting to security events?

forensic analysis

correlation

aggregation

retention

A

correlation

SIEM provides administrators with details on sources of suspicious activity such as user information, device location, and compliance with security policies.

One of the essential functions of SIEM is correlation of logs and events from different systems in order to speed the detection and reaction to security

81
Q

Which access attack method involves a software program that attempts to discover a system password by the use of an electronic dictionary?

buffer overflow attack

denial of service attack

port redirection attack

brute-force attack

packet sniffer attack

IP spoofing attack

A

brute-force attack

82
Q

Which cyber attack involves a coordinated attack from a botnet of zombie computers?

ICMP redirect

MITM

DDoS

address spoofing

A

DDoS

83
Q

How can a DNS TUNNELING attack be MITIGATED?

  • By preventing devices from using gratuitous arp
  • By using a filter that inspects dns traffic
  • By securing all domain owner accounts
  • By using strong passwords and two-factor authentication
A

By using a filter that inspects DNS traffic

84
Q

Which technology is a proprietary SIEM system?

StealthWatch

Splunk

NetFlow collector

SNMP agent

A

Splunk

85
Q

Which network technology uses a passive splitting device that forwards all traffic, including Layer 1 errors, to an analysis device?

NetFlow

network tap

IDS

SNMP

A

Network Tap

A network tap is a common technology that is used to capture traffic for monitoring the network.

The tap is typically a passive splitting device implemented inline on the network and that forwards all traffic, including physical layer errors, to an analysis device.

86
Q

Which protocol would be the target of a cushioning attack?

ARP

DHCP

HTTP

DNS

A

HTTP

87
Q

Which technology is an open source SIEM system?

StealthWatch

Splunk

ELK

Wireshark

A

ELK

88
Q

Which statement describes the function of the SPAN tool used in a Cisco switch?

It is a secure channel for a switch to send logging to a syslog server.

It copies the traffic from one switch port and sends it to another switch port that is connected to a monitoring device.

It provides interconnection between VLANs over multiple switches.

It supports the SNMP trap operation on a switch.

A

It copies the traffic from one switch port and sends it to another switch port that is connected to a monitoring device.

89
Q

When describing malware, what is a difference between a virus and a worm?

A virus focuses on gaining privileged access to a device, whereas a worm does not.

A virus can be used to deliver advertisements without user consent, whereas a worm cannot.

A virus replicates itself by attaching to another file, whereas a worm can replicate itself independently.

A virus can be used to launch a DoS attack (but not a DDoS), but a worm can be used to launch both DoS and DDoS attacks.

A

A virus replicates itself by attaching to another file, whereas a worm can replicate itself independently.

90
Q

What are three functionalities provided by SOAR? (Choose three.)

It automates complex incident response procedures and investigations.

It provides 24×7 statistics on packets that flow through a Cisco router or multilayer switch.

It uses artificial intelligence to detect incidents and aid in incident analysis and response.

It presents the correlated and aggregated event data in real-time monitoring and long-term summaries.

It provides a complete audit trail of basic information about every IP flow forwarded on a device.

It provides case management tools that allow cybersecurity personnel to research and investigate incidents

A

It automates complex incident response procedures and investigations.

It uses artificial intelligence to detect incidents and aid in incident analysis and response.

It provides case management tools that allow cybersecurity personnel to research and investigate incidents

SEC 160 Security Administration (18 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions