Prac 2 Flashcards
(20 cards)
- Ebba has received a new initiative for her security team to perform an in-house penetration test. What is the first step that Ebba should undertake?
a. Approval
b. Budgeting
c. Planning
d. Documentation
a. Approval – Incorrect. This should be obtained after a sufficient plan has been made.
b. Budgeting – Incorrect. This will fall within the scope of planning.
c. Planning – Correct. This is the most important step and should be the first thing you do because a lack of planning can result in trying to do to little or too much. Also, it can lead to creep which is going beyond the initial set test’s limitations.
d. Documentation – Incorrect. This will come after a plan has been made and during the testing and after. Ongoing.
- Which of the following is NOT a characteristic of a penetration test?
a. Automated
b. Finds deep vulnerabilities
c. Performed occasionally
d. May use internal employees or external consultants
a. Automated - Correct. It is a complex manual process (but may be semi-automated) and finds deep vulnerabilities unlike vulnerability scanning which is surface and automated.
b. Incorrect. A scan usually finds only surface problems to be addressed. This is because many scans are entirely automated and provide only a limited verification of any discovered vulnerabilities. A penetration test, on the other hand, can find deep vulnerabilities.
c. Incorrect. Due to its impact on the system, a penetration test is only performed occasionally.
d. Incorrect. A penetration test can use either internal employees or external consultants.
- Linnea has requested to be placed on the penetration testing team that scans for vulnerabilities to exploit them. Which team does she want to be placed on?
a. Blue Team
b. Purple Team
c. White Team
d. Red Team
a. Blue Team - This one actively monitors attackers and shores up defenses against red team
b. Purple Team - This one communicates betweeen blue and red in realtime
c. White Team - This team ensures the rules of the pen test.
d. Red Team - This team scans for vulnerabilities and exploits them.
- Lykke’s supervisor is evaluating whether to use internal security employees to conduct a
penetration test. Lykke does not consider this a good idea and has created a memo with several
reasons they should not be used. Which of the following would NOT be part of that memo?
a. The employees could have inside knowledge of the network that would give them an advantage.
b. There may be a lack of expertise.
c. Employees may have a reluctance to reveal a vulnerability.
d. They would have to stay overnight to perform the test.
a. Incorrect. Using internal employees could give them a competitive edge because of information
that they might know that it outside threat actor would not know.
b. Incorrect. Due to the specialization of a pen test, one of the concerns for using internal employees
is that it’s possible they lack the expertise to perform and in-depth test.
c. Incorrect. A drawback is that employees may be reluctant to reveal a vulnerability that they or a
colleague has been tasked to protect, so that in revealing it, it may make them look bad in the eyes
of management.
d. Correct. A penetration test does not necessarily have to be performed overnight.
- What penetration testing level name is given to testers who have no knowledge of the network
and no special privileges?
a. Black box
b. Gray box
c. White box
d. Purple box
a. Correct. Black box testers have no knowledge of the network and no special privileges.
b. Incorrect. Gray box testers are given limited knowledge of the network. In addition, they
sometimes have elevated privileges.
c. Incorrect. White box testers are given full knowledge of the network and even the source code of
applications.
d. Incorrect. A purple box is fictitious and does not exist.
- Which of the following is NOT an advantage of crowdsourced penetration testing?
a. Faster testing
b. Less expensive
c. Ability to rotate teams
d. Conducting multiple tests simultaneously
a. Incorrect. Faster testing is possible and can result in quicker remediation of vulnerabilities.
b. Correct. Crowdsourced penetration testing may or may not be less expensive than other sources.
c. Incorrect. Ability to rotate teams so that different individuals test the system is an advantage of
crowdsourced penetration testing.
d. Incorrect. This can be one of the strengths of
crowdsourced penetration testing.
- Tilde is working on a contract with the external penetration testing consultants. She does not
want any executives to receive spear-phishing emails. Which rule of engagement would cover this
limitation?
a. Scope
b. Exploitation
c. Targets
d. Limitations and exclusion
Analysis:
a. Correct. For a penetration test, the scope is what should be tested. Scope involves several
elements that define the relevant test boundaries.
b. Incorrect. The exploitation level of a penetration test determines what should be exploited when
a vulnerability is uncovered.
c. Incorrect. Target is not a rule of engagement for penetration testing period.
d. Incorrect. Limitations and exclusions are not rules of engagement for penetration testing period.
- Which is the final rule of engagement that would be conducted in a pen test?
a. Cleanup
b. Communication
c. Reporting
d. Exploitation
a. Incorrect. Although cleanup is important, it should not precede reporting.
b. Incorrect. Communication should be conducted throughout the entire penetration test period.
c. Correct. Reporting should be the last phase of a communication test.
d. Incorrect. Exploitation is an earlier phase of a communication test.
- What is another name for footprinting?
a. High-level reconnaissance
b. Active reconnaissance
c. Modeling
d. Revealing
a. Incorrect. This is not a term that is used in cybersecurity.
b. Correct. Active reconnaissance involves directly probing for vulnerabilities and useful information,
much like a threat actor would do. This reconnaissance is also called footprinting.
c. Incorrect. This term is not used in this context in cybersecurity.
d. Incorrect. This term is not used in this context in cybersecurity.
- When researching how an attack recently took place, Nova discovered that the threat actor,
after penetrating the system, started looking to move through the network with their elevated
position. What is the name of this technique?
a. Jumping
b. Twirling
c. Squaring up
d. Lateral movement
a. Incorrect. This is not a term that is used in cybersecurity.
b. Incorrect. This is not a term that is used in cybersecurity.
c. Incorrect. This is not a term that is used in cybersecurity.
d. Correct. With advanced privileges, a threat actor will tunnel through the network looking for
additional systems they can access from this newly elevated position.
- What are documents that are authored by technology bodies employing specialists, engineers,
and scientists who are experts in those areas?
a. Cybersecurity feeds
b. White notebooks
c. Blue papers
d. Requests for comments (RFCs)
a. Incorrect. A cybersecurity feed provides information about the latest vulnerability.
b. Incorrect. This is not a term that is used in cybersecurity.
c. Incorrect. This is not a term that is used in cybersecurity.
d. Correct. RFCs are documents that are authorized by technology bodies employing specialists,
engineers, and scientists who are experts in those areas.
- Which of the following is NOT a general information source that can provide valuable in-depth
information on cybersecurity?
a. Twitter
b. Conferences
c. Local industry groups
d. Vendor websites
a. Correct. With its limitation on the number of characters, Twitter is not considered an in-depth
information source for cybersecurity.
b. Incorrect. Industry and academic conferences are good general sources for in-depth information.
c. Incorrect. Local industry groups can provide valuable information on cybersecurity.
d. Incorrect. Vendor websites often provide in depth information on cybersecurity as it relates to
their product.
- Which of the following is a standard for the handling of customer card information?
a. DRD STR
b. OSS XRS
c. RMR CDC
d. PCI DSS
a. Incorrect. This is a fictitious standard and does not exist.
b. Incorrect. This is a fictitious standard and does not exist.
c. Incorrect. This is a fictitious standard and does not exist.
d. Correct. One cybersecurity standard is the Payment Card Industry Data Security Standard (PCI
DSS). The PCI DSS compliance standard was introduced to provide a minimum degree of security for
handling customer card information.
- Which of the following are developed by established professional organizations or government
agencies using the expertise of seasoned security professionals?
a. Legislation
b. White papers
c. Regulations
d. Benchmarks
a. Incorrect. Legislation is not established by professional organizations or government agencies that
are using the expertise of security professionals.
b. Incorrect. White papers are not developed by established professional organizations or the
government.
c. Correct. Industry regulations are typically developed by established professional organizations or
government agencies using the expertise of seasoned security professionals. These regulations are
followed by companies that have similar business processes, resulting in a common set of tested and
approved regulations that are under continual review and revision. Almost every industry has its
own set of regulations, and cybersecurity is no exception.
d. Incorrect. Benchmarks are guidelines for configuring a device or software that is usually
distributed by hardware manufacturers or software developer.
- Which group is responsible for the Cloud Controls Matrix?
a. CSA
b. CIS
c. OSINT
d. NIST
a. Correct. The Cloud Security Alliance (CSA) is an organization whose goal is to define and raise
awareness of best practices to help secure cloud computing environments. Its Cloud Controls Matrix
is a specialized framework of cloud-specific security controls.
b. Incorrect. The Center for Internet Security (CIS) is a nonprofit community-driven organization. It
has created two recognized frameworks. The CIS Controls are controls for securing an organization
and consists of over 20 basic and advanced cybersecurity recommendations.
c. Incorrect. Open source intelligence is OSINT.
d. Incorrect. The National Institute of Standards and Technology (NIST), operating under the U.S.
Commerce Department, created the NIST cybersecurity frameworks as a set of guidelines for helping
private companies identify, detect, and respond to cyberattacks. These frameworks also include
guidelines for how to prevent and recover from an attack.
- Tuva’s supervisor wants to share a recent audit outside the organization. Tuva warns him that
this type of audit can only be read by those within the organization. What audit does Tuva’s
supervisor want to distribute?
a. SSAE SOC 2 Type II
b. SSAE SOC 2 Type III
c. SSAE SOC 3 Type IV
d. SSAE SOC 3.2 Type X
a. Correct. The SSAE SOC 2 Type II report is an internal controls report that reviews how a company
safeguards customer data and how well those controls are operating. An SOC 2 can only be read by
the user organizations that rely on the services.
b. Incorrect. A SOC 3 report can be freely distributed.
c. Incorrect. This is fictitious.
d. Incorrect. This is fictitious.
- Which ISO contains controls for managing and controlling risk?
a. ISO XRS
b. ISO 31000
c. ISO 271101
d. ISO 27555
a. Incorrect. This is fictitious.
b. Correct. ISO 31000 contains controls for managing and controlling risk.
c. Incorrect. This is fictitious.
d. Incorrect. This is fictitious.
- Which premise is the foundation of threat hunting?
a. Cybercrime will only increase.
b. Threat actors have already infiltrated our network.
c. Attacks are becoming more difficult.
d. Pivoting is more difficult to detect than ever before.
a. Incorrect. Although this is correct, it is not the foundation of threat hunting.
b. Correct. Threat hunting is proactively searching for cyber threats that thus far have gone
undetected in a network. Threat hunting begins with a critical major premise: threat actors have
already infiltrated our network. It then proceeds to find unusual behavior that may indicate the
presence of malicious activity.
c. Incorrect. Although this is correct, it is not the foundation of threat hunting.
d. Incorrect. The difficulty in detecting pivoting has no impact on the foundation of threat hunting.
- Which of the following can automate an incident response?
a. SIEM
b. SOAR
c. CVCC
d. SOSIA
a. Incorrect. A SIEM does not create an automated incident response.
b. Correct. SOARs go beyond SIEMS by combining more comprehensive data gathering and analytics
in order to automate incident response. While a SIEM tends to generate more alerts than a security
team may be to respond to, a SOAR allows a security team to automate incident responses.
c. Incorrect. This is fictitious.
d. Incorrect. This is fictitious.
- Which of the following is not something that a SIEM can perform?
a. User behavior analysis
b. Sentiment analysis
c. Log aggregation
d. Incident response
a. Incorrect. A SIEM can perform user behavior analysis to establish an “everyday” baseline of
activities.
b. Incorrect. A SIEM can perform sentiment analysis.
c. Incorrect. One of a SIEM’s primary responsibilities is log aggregation.
d. Correct. A SOAR, not a SIEM, can perform incident response.
