CyberOps Associate 1.0 Final Exam Flashcards

Questions and Answers

In which two cases might an organization use PKI applications to securely exchange information between users? (Choose two)

• 802.1x authentication (correct)
• SMTP email service
• FTP file transfer
• HTTPS web service (correct)

Which measure can a security analyst take to perform effective security monitoring against network traffic encrypted by SSL technology?

Deploy a Cisco SSL Appliance.

Which three objectives must the BYOD security policy address? (Choose three)

• The level of access of employees when connecting to the corporate network must be defined. (correct)
• Safeguards must be put in place for any personal device being compromised. (correct)
• All personal devices must be registered with the IT department.
• Rights and activities permitted on the corporate network must be defined. (correct)

What type of attack targets an SQL database using the input field of a user?

SQL injection

What are two characteristics of Ethernet MAC addresses? (Choose two)

They are globally unique. (C), They are expressed as 12 hexadecimal digits. (D)

What conclusion can be drawn based on the connectivity test using the command 'ping 127.0.0.1' that returns four positive replies?

The TCP/IP implementation is functional.

What characterizes a threat actor?

They always try to cause some harm to an individual or organization.

What type of malware presents a user with a screen requesting payment before data access?

a type of ransomware

Which ICMPv6 message type provides network addressing information to hosts that use SLAAC?

router advertisement

Which tool included in the Security Onion is a series of software plugins that send different types of data to the Elasticsearch data stores?

Beats

Which two types of unreadable network traffic could be eliminated from data collected by NSM? (Choose two)

SSL traffic (A), IPsec traffic (B)

What is the core open source component of the Elastic-stack responsible for accepting data in its native format?

Logstash

In the NIST incident response process life cycle, which type of attack vector involves the use of brute force?

attrition

What is a characteristic of CybOX?

It is a set of standardized schemata for specifying, capturing, characterizing, and communicating events and properties of network operations.

What are two ways that ICMP can be a security threat to a company? (Choose two)

by providing a conduit for DoS attacks (A), by collecting information about a network (B)

What are two problems that can be caused by a large number of ARP request and reply messages? (Choose two.)

All ARP request messages must be processed by all nodes on the local network. (A), The ARP request is sent as a broadcast and will flood the entire subnet. (D)

Which field in the Sguil application window indicates the priority of an event or set of correlated events?

ST

Match the job titles to SOC personnel positions:

Tier 1 Alert Analyst = Monitors incoming alerts & verifies that a true incident has occurred Tier 2 Incident Responder = Involved in deep investigation of incident Tier 3 Subject Matter Expert = Involved in hunting for potential threats & implements threat detection tools

If the default gateway is configured incorrectly on the host, what is the impact on communications?

The host can communicate with other hosts on the local network, but is unable to communicate with hosts on remote networks.

When a connectionless protocol is in use at a lower layer of the OSI model, how is missing data detected and retransmitted if necessary?

Upper-layer connection-oriented protocols keep track of the data received and can request retransmission from the upper-level protocols on the sending host.

What is the prefix length notation for the subnet mask 255.255.255.224?

/27

Which network monitoring tool saves captured network frames in PCAP files?

Wireshark

What is the TCP mechanism used in congestion avoidance?

Sliding window

What is the Internet?

It provides connections through interconnected global networks.

Which protocol is used by the traceroute command to send and receive echo-requests and echo-replies?

ICMP

What are two ICMPv6 messages that are not present in ICMP for IPv4? (Choose two.)

Router Advertisement (A), Neighbor Solicitation (B)

What are two monitoring tools that capture network traffic and forward it to network monitoring devices? (Choose two.)

Network Tap (C), SPAN (D)

Which network monitoring tool is in the category of network protocol analyzers?

Wireshark

Based on the command output shown, which file permission or permissions have been assigned to the other user group for the data.txt file?

read

What are three benefits of using symbolic links over hard links in Linux? (Choose three.)

They can show the location of the original file. (A), They can link to a file in a different file system. (B), They can link to a directory. (D)

A network security specialist is tasked to implement a security measure that monitors the status of critical files in the data center. Which aspect of secure communications is addressed by this security measure?

Data integrity

A network administrator is configuring a AAA server to manage TACACS+ authentication. What are two attributes of TACACS+ authentication? (Choose two.)

Separate processes for authentication and authorization (B), Encryption for all communication (C)

In an attempt to prevent network attacks, cyber analysts share unique identifiable attributes of known attacks. What three types of attributes or indicators of compromise are helpful to share? (Choose three.)

Features of malware files (B), IP addresses of attack servers (C), Changes made to end system software (D)

Which two types of messages are used in place of ARP for address resolution in IPv6? (Choose two.)

Neighbor Advertisement (B), Neighbor Solicitation (D)

What is indicated by a true negative security alert classification?

Normal traffic is correctly ignored and erroneous alerts are not being issued.

Normal traffic is correctly ignored and erroneous alerts are not being issued. What does this describe?

It compares the behavior of a host to an established baseline to identify potential intrusions.

Match the description to the antimalware approach:

Signature-based = By recognizing various characteristics of known malware files Heuristics-based = By recognizing general features shared by various types of malware Behavior-based = Through analysis of suspicious activities

Which two protocols are associated with the transport layer? (Choose two.)

UDP (B), TCP (D)

A network administrator is creating a network profile to generate a network baseline. What is included in the critical asset address space element?

The IP addresses or the logical location of essential systems or data.

What are the three impact metrics contained in the CVSS 3.0 Base Metric Group? (Choose three.)

Integrity (A), Availability (B), Confidentiality (C)

What is a characteristic of DNS?

DNS servers can cache recent queries to reduce DNS query traffic.

What are two differences between HTTP and HTTP/2? (Choose two.)

HTTP/2 uses a compressed header to reduce bandwidth requirements. (A), HTTP/2 uses multiplexing to support multiple streams and enhance efficiency. (B)

Match the step to the task performed by the router when sending a packet destined for a network in the routing table:

Step 1 = Both are deployed as sensors. Step 2 = Both use signatures to detect malicious traffic.

Which statement describes a typical security policy for a DMZ firewall configuration?

Traffic that originates from the DMZ interface is selectively permitted to the outside interface.

After complaints from users, a technician identifies that the college web server is running very slowly. What is the source of the problem?

A DDoS attack is in progress.

Which two statements describe access attacks? (Choose two.)

Password attacks can be implemented by the use of brute-force attack methods, Trojan horses, or packet sniffers. (C), Buffer overflow attacks write data beyond the allocated buffer memory to overwrite valid data or to exploit systems to execute malicious code. (D)

Which two actions can be taken when configuring Windows Firewall? (Choose two.)

Allow a different software firewall to control access. (C), Manually open ports that are required for specific applications. (D)

Which statement describes the state of the administrator and guest accounts after a user installs Windows desktop version to a new computer?

By default, both the administrator and guest accounts are disabled.

What is a purpose of entering the nslookup cisco.com command on a Windows PC?

To check if the DNS service is running.

How is the event ID assigned in Sguil?

Each event in the series of correlated events is assigned a unique ID.

Which two types of network traffic are from protocols that generate a lot of routine traffic? (Choose two.)

STP traffic (A), Routing updates traffic (C)

What are two elements that form the PRI value in a syslog message? (Choose two.)

Facility (B), Severity (C)

Which three pieces of information are found in session data? (Choose three.)

Source and destination port numbers (A), Source and destination IP addresses (B), Layer 4 transport protocol (C)

What kind of ICMP message can be used by threat actors to perform network reconnaissance and scanning attacks?

ICMP unreachable

A flood of packets with invalid source IP addresses requests a connection on the network. What type of attack has occurred?

TCP SYN flood

An attacker is redirecting traffic to a false default gateway in an attempt to intercept the data traffic of a switched network. What type of attack could achieve this?

DHCP spoofing

Users report that a database file on the main server cannot be accessed. What type of attack has the organization experienced?

Ransomware

What two kinds of personal information can be sold on the dark web by cybercriminals? (Choose two.)

Facebook photos (B), Street address (C)

What three services are offered by FireEye? (Choose three.)

Identifies and stops latent malware on files (A), Blocks attacks across the web (B), Identifies and stops email threat vectors (D)

After containment, what is the first step of eradicating an attack?

Identify all hosts that need remediation.

Which activity is typically performed by a threat actor in the installation phase of the Cyber Kill Chain?

Install a web shell on the target web server for persistent access.

When dealing with a security threat and using the Cyber Kill Chain model, which two approaches can an organization use to help block potential exploitations on a system? (Choose two.)

Perform regular vulnerability scanning and penetration testing. (A), Train web developers for securing code. (D)

How does using HTTPS complicate network security monitoring?

HTTPS adds complexity to captured packets.

What are the two important components of a public key infrastructure (PKI) used in network security? (Choose two.)

Certificate authority (C), Digital certificates (D)

Which three algorithms are designed to generate and verify digital signatures? (Choose three.)

DSA (A), ECDSA (B), RSA (C)

Which section of a security policy is used to specify that only authorized individuals should have access to enterprise data?

Identification and authentication policy

Refer to the exhibit. A cybersecurity analyst is viewing captured packets forwarded on switch S1. Which device has the MAC address d8:cb:8a:5c:d5:8a?

PC-A

What kind of message is sent by a DHCPv4 client requesting an IP address?

DHCPDISCOVER broadcast message

What is the responsibility of the human resources department when handling a security incident?

Apply disciplinary measures if an incident is caused by an employee.

How does a security information and event management system (SIEM) in a SOC help the personnel fight against security threats?

By combining data from multiple technologies.

At which OSI layer is a source IP address added to a PDU during the encapsulation process?

Network layer

What is the purpose of CSMA/CA?

To prevent collisions.

Why is DHCP preferred for use on large networks?

It is a more efficient way to manage IP addresses than static address assignment.

Which NIST incident response life cycle phase includes continuous monitoring by the CSIRT to quickly identify and validate an incident?

Detection and analysis

What will a threat actor do to create a back door on a compromised target according to the Cyber Kill Chain model?

Add services and autorun keys.

Which type of evidence supports an assertion based on previously obtained evidence?

Corroborating evidence

A technician is configuring email on a mobile device. Which email protocol should the technician use to synchronize folders between the mobile device and the server?

IMAP

What is the goal of an attack in the installation phase of the Cyber Kill Chain?

Create a back door in the target system to allow for future access.

Which two statements are characteristics of a virus? (Choose two.)

A virus can be dormant and then activate at a specific time or date. (C), A virus typically requires end-user activation. (D)

What is a characteristic of a Trojan horse as it relates to network security?

Malware is contained in a seemingly legitimate executable program.

What technique is used in social engineering attacks?

Phishing

What is a purpose of implementing VLANs on a network?

They can separate user traffic.

A cybersecurity analyst needs to collect alert data. What are three detection tools to perform this task in the Security Onion architecture? (Choose three.)

Wazuh (A), Zeek (B), CapME (C)

In network security assessments, which type of test is used to evaluate the risk posed by vulnerabilities to a specific organization?

Risk analysis

In addressing an identified risk, which strategy aims to shift some of the risk to other parties?

Risk sharing

What is a network tap?

A passive device that forwards all traffic and physical layer errors to an analysis device.

If a SOC has a goal of 99.999% uptime, how many minutes of downtime a year would be considered within its goal?

Approximately 5 minutes per year.

The HTTP server has responded to a client request with a 200 status code. What does this status code indicate?

The request was completed successfully.

What is an advantage for small organizations of adopting IMAP instead of POP?

Messages are kept in the mail servers until they are manually deleted from the email client.

What debugging security tool can be used by black hats to reverse engineer binary files when writing exploits?

WinDbg

What is a property of the ARP table on a device?

Entries in an ARP table are time-stamped and are purged after the timeout expires.

What is the purpose of Tor?

To allow users to browse the Internet anonymously.

Which two network protocols can be used by a threat actor to exfiltrate data in traffic that is disguised as normal network traffic? (Choose two.)

DNS (B), HTTP (C)

What is a key difference between the data captured by NetFlow and data captured by Wireshark?

NetFlow collects metadata from a network flow whereas Wireshark captures full data packets.

Which tool captures full data packets with a command-line interface only?

tcpdump

Which method can be used to harden a device?

Use SSH and disable the root account access over SSH.

In a Linux operating system, which component interprets user commands and attempts to execute them?

Shell

A network administrator is configuring an AAA server to manage RADIUS authentication. Which two features are included in RADIUS authentication? (Choose two.)

Hidden passwords during transmission (B), Single process for authentication and authorization (D)

What is privilege escalation?

Vulnerabilities in systems are exploited to grant higher levels of privilege than someone or some process should have.

What two assurances does digital signing provide about code that is downloaded from the Internet? (Choose two.)

The code is authentic and is actually sourced by the publisher. (A), The code has not been modified since it left the software publisher. (D)

An IT enterprise is recommending the use of PKI applications to securely exchange information between the employees.

PKI applications provide encrypted communication and secure identity verification.

Flashcards

Router Advertisement

A network discovery mechanism used in IPv6 networks to inform nodes about the presence of routers and network parameters.

Beats

A collection of lightweight data shippers that help send different types of data (logs, metrics, etc.) to Elasticsearch for analysis.

Unreadable Network Traffic

Network traffic that is encrypted and therefore cannot be read by standard tools.

Logstash

A core open-source component of the Elastic Stack that processes and transforms data from various sources, making data consistent for analysis.

Attrition

An attack vector characterized by using brute force techniques to compromise devices, networks, or services.

CybOX

A standardized framework that helps in specifying, capturing, characterizing, and communicating cybersecurity events and properties related to network operations.

Information Gathering

ICMP can be used to gather information about network structure and devices, revealing potential vulnerabilities.

Denial of Service (DoS) Attacks

ICMP can facilitate DoS attacks by overwhelming targeted systems with traffic, affecting network availability.

Study Notes

ARP Requests and Local Network

• High volume of ARP requests creates network processing overhead for all local nodes.
• Flooding occurs due to ARP requests being broadcast to the entire subnet.

Security Operations Center (SOC) Personnel

• Tier 1 Alert Analyst: Monitors incoming alerts and verifies incidents.
• Tier 2 Incident Responder: Conducts in-depth investigation of incidents.
• Tier 3 Subject Matter Expert: Engages in threat hunting and implements detection tools.

Network Communication Issues

• Incorrect default gateway prevents communication with remote networks while allowing local communication.

Data Detection and Retrospection

• Connectionless protocols rely on upper-layer connection-oriented protocols to detect missing data and request retransmissions.

Internet Routing and Protocols

• Prefix length notation for subnet mask 255.255.255.224 is /27.
• Traceroute utilizes ICMP for echo requests and replies.
• Neighbor Solicitation and Router Advertisement messages are unique to ICMPv6.

Network Monitoring Tools

• Wireshark is identified as a protocol analyzer that captures network frames in PCAP files.
• SPAN and network tap are monitoring tools that capture and forward traffic.

TCP and Network Security

• Sliding window is used in TCP for congestion avoidance.
• Ransomware encrypts files and demands payment for access.

Cyber Security Practices

• TACACS+ provides encrypted communication and separates authentication from authorization processes.
• Sharing indicators of compromise among cyber analysts enhances detection and prevention.

Network Traffic Management

• ICMP messages like neighbor solicitation and advertisement function in IPv6 for address resolution.
• HTTP/2 improves efficiency with multiplexing and header compression compared to HTTP.

Security Incident Responses

• True negative security alerts indicate correct identification of normal traffic.
• Security policies define authorized access to enterprise data.

Cyber Kill Chain Model

• Back doors are created for future access in the installation phase post-compromise.
• Risk analysis evaluates vulnerabilities and their impact on organizations.

Data Exfiltration and Threat Actors

• DNS and HTTP can be misused by threat actors for data exfiltration.
• Identifying and verifying incidents involves continuous monitoring in incident response.

Public Key Infrastructure (PKI)

• Digital certificates and certificate authorities are essential components of PKI in network security.

Common Malware Characteristics

• Viruses require user activation, can remain dormant, and activate later.
• Trojans disguise malware within legitimate-looking programs.

Email Configuration and Protocols

• IMAP allows synchronization of emails across devices while retaining originals on the server.

Network Access Control

• Risk sharing shifts some risk to other parties and can help mitigate threats in network infrastructure.

Traffic Analysis and Monitoring Tools

• Network taps passively forward all traffic for analysis and capture metadata for understanding flow dynamics.

System Hardening Techniques

• Disabling root access over SSH and implementing SSH for secure remote access are essential for hardening devices.

Personal Security Awareness

• BYOD policies must define user rights, safeguard personal devices, and regulate access levels to corporate networks.

Cybersecurity Threat Impacts

• SQL injection attacks exploit input fields to manipulate databases.
• Corroborating evidence supports claims with supplementary facts.

Final Insights

• Effective security monitoring against SSL-encrypted traffic requires specialized tools like Cisco SSL Appliances.
• Networking reliability is gauged by uptime metrics, aiming for minimal yearly downtime, around 5 minutes for high availability goals.### Network Security Concepts
• Router Advertisement: A network discovery mechanism used in IPv6 networks to inform nodes about the presence of routers and network parameters.

Tools in Security Onion

• Beats: A collection of lightweight data shippers that help send different types of data (logs, metrics, etc.) to Elasticsearch for analysis.

Network Traffic and Data Collection

• Unreadable Network Traffic:
  • IPsec Traffic: Encrypted traffic that secures Internet Protocol communications, often eliminating visibility into the data.
  • SSL Traffic: Encrypted traffic using Secure Sockets Layer for secure communication over a computer network, making the data unreadable.

Log Management

• Logstash: A core open-source component of the Elastic Stack that processes and transforms data from various sources, making data consistent for analysis.

Incident Response Processes

• Attrition: An attack vector characterized by using brute force techniques to compromise devices, networks, or services.

Cyber Threat Intelligence

• CybOX: A standardized framework that helps in specifying, capturing, characterizing, and communicating cybersecurity events and properties related to network operations.

ICMP Security Threats

• Information Gathering: ICMP can be exploited to gather information about network structure and devices, revealing potential vulnerabilities.
• Denial of Service (DoS) Attacks: ICMP can facilitate DoS attacks by overwhelming targeted systems with traffic, affecting network availability.

Description

This quiz features flashcards designed for the CyberOps Associate 1.0 final exam. It covers key concepts such as ARP messages and event prioritization in network security tools. Test your knowledge and prepare for your certification with these essential questions.