Network Security and Incident Response

Questions and Answers

Which data type is protected through hard disk encryption?

Data at rest (correct)

Data in process

Data in use

Data in transit

Which protocol should you use to encrypt configuration files in transit over an unsecured network?

TFTP

SSH (correct)

Telnet

HTTP

What does a Warning severity message from a DNS server indicate?

The server has a hardware error that does not require immediate attention

The DNS server is unusable due to a severe malfunction and is shutting down

An error condition is occurring that must be addressed immediately (correct)

A condition exists that will cause errors in the future if the issue is not fixed

Where should you go to view the scan result after completing a full scan of a Windows 10 PC?

Windows Security (C)

What action should you take to determine if a suspicious URL is malicious?

Submit the URL to a threat intelligence portal for analysis (D)

What should you do when the company intranet site isn't accepting login information and shows misspellings?

Restore a backup copy of the authentication database (A)

What does the CVSS tool primarily assist with in Vulnerability Management?

Evaluating the severity of vulnerabilities (A)

Which cybersecurity tool would likely be used for patch management?

Patch Management Software (D)

What does the Listening state indicate about the TCP ports when using the netstat -l command?

The ports are open on the system and are waiting for connections. (B)

Which NIST incident response lifecycle phase focuses on mitigating the impact of an incident?

Containment, Eradication and Recovery (C)

What is the primary function of a hypervisor in a virtualized environment?

It creates and runs virtual machines. (D)

Which process allows the network security team to monitor the operating system version and updates on devices?

Security policies and procedures. (A)

What type of entry should be created to prevent spoofing of the internal network?

An ACL. (D)

Which two private IPv4 addresses are typically blocked on the internet for security reasons? (Choose 2)

192.168.18.189 (A), 172.18.100.78 (D)

During a risk evaluation, which risks related to a web server should be considered?

Hardware failure and software failure. (D)

In the context of incident response, what is the primary focus of the post-incident activity phase?

Reporting the cause and costs of the incident. (A)

What immediate action should be taken to scan affected workstations and remove malware?

Scan affected workstations and remove malware (B)

What does the command 'ls -l' do in a Linux terminal?

To display the file permission and ownership of the executable file (C)

Which device is most appropriate for filtering websites available to employees on the company network?

Proxy server (A)

What term best describes a weakness that potentially exposes organizations to cyber attacks?

Vulnerability (D)

Which action should be classified under containment when addressing a worm infection?

Remove or block infected system from the network (B)

What is the potential for loss, damage, or destruction classified as?

Risk (C)

What treatment approach involves cleaning and patching the infected system?

Mitigation (D)

Which type of endpoint attack is characterized by overwhelming a service with excessive traffic?

DDoS (C)

Which action likely caused the hacker to gain root access on a Linux server?

Accessing the server as a guest (A)

Which wireless encryption technology relies on AES for securing home networks?

WPA2 (B)

Which of the following is NOT considered an authentication factor in a multifactor authentication scenario?

Something you earn (C)

What is an example of corrective measure control in cybersecurity?

Restoring a system after an event (A)

Which two disasters would necessitate a company's implementation of a disaster recovery plan?

Volcanic eruptions (A), Floods (B)

What should be done if a laptop user cannot print to their wireless printer after an OS update?

Install a new device driver for the wireless printer (A)

Which activity exemplifies active reconnaissance during a penetration test?

Performing an Nmap port scan on the LAN to determine types of connected devices and open ports (B)

An analyst accesses employee data on a company server without authorization. This action is considered:

A breach of the cybersecurity code of ethics (A)

Which framework is primarily responsible for protecting healthcare information of individuals?

HIPAA (C)

What type of cybersecurity threat is indicated by repeated website crashes after restarting?

Denial of service (D)

Which command can display the configured DNS server information and resolve a URL's IP address?

Nslookup (B)

What type of authentication is demonstrated by entering a strong password along with a 5-digit code sent to your smartphone?

Multifactor (A)

What does the process of hashing primarily ensure for communication?

Data integrity (D)

Which of the following protects the personal information of members of the European Union?

GDPR (C)

In the event of an alert concerning malicious files detected by the IDS, what is the recommended next step?

Log the alert and watch for a second occurrence (A)

Which framework is responsible for protecting information about individuals stored by federal agencies?

FISMA (A)

Which two actions should be taken immediately regarding telnet access on the corporate database server? (Choose 2)

Implement SSH access on the server. (A), Disable telnet access on the server. (B)

Which activity by an adversary is an example of an exploit attempting to gain credentials?

Sending an email with a link to a fictitious web portal login page. (A)

What is one basic metric to consider when assigning a severity to a vulnerability during assessment?

The impacts that an exploit of the vulnerability will have on the organization. (A)

Which two disadvantages of public vulnerability databases should be noted? (Choose 2)

Threat actors can access the databases to learn how to vary their threats to avoid detection. (C), They lack comprehensive coverage of all vulnerabilities. (D)

What type of events do application logs contain?

Events from programs running on the device. (D)

Which action should NOT be taken when evaluating vulnerabilities?

Ignore historical data related to previous exploits. (A)

Which log type records the success or failure of audit policy events?

Security logs (C)

What should be a primary focus when considering a vulnerability's potential for exploitation?

The likelihood of an adversary exploiting it. (A)

Flashcards

Listening state (netstat -l)

TCP ports are open and waiting for incoming connections.

NIST Incident Response Lifecycle - Mitigate Impact

Minimizing damage from an incident, repairing damage, and lessening impact.

NIST Incident Response Lifecycle - Report Cause

Determine and document the reason(s) for an incident, associated costs, and steps to prevent it again.

NIST Incident Response Lifecycle - Detection & Analysis

Identify unusual activity, determine if it's malicious, and issue warnings.

Hypervisor function

Creates and manages virtual machines (VMs).

Asset Management (in cybersecurity)

Tracking operating systems, updates, and patches on devices.

Preventing Internal Network Spoofing?

NAT (Network Address Translation) rules block spoofing attempts to the internal network. Use of NAT rule is recommended.

Private Class IP Addresses

192.168.x.x and 172.16.x.x are private networks, not routable on the internet, to prevent issues.

Data at Rest

Data stored on a hard drive or other storage medium.

Data in Transit

Data being transmitted across a network, like when you send an email or browse the internet.

SSH Encryption

A protocol that encrypts data transferred over a network, ensuring secure communication.

DNS Server Warnings

Messages from a DNS server indicating potential problems that need attention.

Vulnerability Management Process

A structured process for identifying, prioritizing, and mitigating vulnerabilities in systems and applications.

Windows Security: Scan Results

The location in Windows 10 where you can view the results of a security scan.

Threat Intelligence Portal

A service that analyzes suspicious URLs and other online threats for you.

DNS Server Accuracy

Checking if the company's intranet website is correctly registered in the local DNS server.

Worm Mitigation: Treatment

Actions taken to address the problem of infected systems, such as cleaning and patching them to remove the worm and restore functionality.

Worm Mitigation: Containment

Steps taken to prevent the spread of the worm further, often involving isolating infected systems from the network to limit exposure.

Worm Mitigation: Inoculation

Protecting uninfected systems by applying patches or updates to address vulnerabilities exploited by the worm, preventing further infection.

Worm Mitigation: Quarantine

Segmenting the network to restrict the worm's spread to already infected areas, protecting uninfected parts.

ls -l Command

A Linux command used to display detailed information about files and directories, including permissions, ownership, and file size.

Cybersecurity Term: Asset

Anything of value that an organization wants to protect, including people, property, or data.

Cybersecurity Term: Threat

Anything that could potentially cause harm or damage to an asset, like a virus or a hacker.

Cybersecurity Term: Risk

The likelihood of a threat exploiting a vulnerability, leading to harm or loss of an asset.

Buffer Overflow Attack

An attack where an attacker sends more data than the system can handle, overflowing the buffer and potentially overwriting critical memory locations, leading to crashes or malicious code execution.

DDoS Attack

A cyberattack where multiple compromised devices (botnet) bombard a target server with traffic, overwhelming its resources and making it unavailable to legitimate users.

Privilege Escalation

An attack where an attacker gains elevated access to a system, allowing them to perform actions they shouldn't be allowed to, such as accessing sensitive data or changing system settings.

Brute Force Attack

An attack where an attacker tries to guess passwords or other credentials by repeatedly trying different combinations.

WPA2 Encryption

A wireless encryption standard that offers strong security using the Advanced Encryption Standard (AES) algorithm. It's considered a significant improvement over WEP and WPA.

Multi-factor Authentication

A security mechanism that requires users to provide multiple forms of authentication (e.g., something you know, something you have, something you are) to verify their identity.

Telnet Security Risk

Using telnet to access a database server is insecure because data is transmitted unencrypted, making it vulnerable to eavesdropping and attacks.

Exploiting Credentials

An adversary attempting to gain credentials may use tactics like sending phishing emails with fake login pages to trick users into revealing their passwords.

Windows Event Logs: Application Logs

Application logs record events related to software running on the device, including software errors, warnings, and information.

Windows Event Logs: System Logs

System logs contain information about operating system events like updates, installations, and critical system actions.

Vulnerability Severity: Exploit Likelihood

When assessing a vulnerability, consider the likelihood that an attacker could exploit it.

Vulnerability Severity: Impact

During a vulnerability assessment, consider the potential impact if the vulnerability were exploited.

Public Vulnerability Databases: Threat Actor Advantage

Attackers can use publicly available vulnerability databases to learn how to exploit vulnerabilities and avoid detection.

Secure Remote Access: SSH

SSH (Secure Shell) is a secure protocol for remote access and data transfer, using encryption to protect data during transmission.

What does GDPR protect?

The General Data Protection Regulation (GDPR) protects the personal information of individuals within the European Union. This includes data like names, addresses, and online activity.

What is the purpose of HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) safeguards the medical information of individuals in the United States. This includes health records, billing information, and patient diagnoses.

What does PCI-DSS protect?

The Payment Card Industry Data Security Standard (PCI-DSS) aims to protect the credit card information of individuals by setting strict security requirements for organizations that handle credit card transactions. This includes data encryption and secure storage practices.

What is the purpose of FERPA?

The Family Educational Rights and Privacy Act (FERPA) protects the educational records of students in the United States. This includes grades, attendance records, and disciplinary actions.

What is FISMA?

The Federal Information Security Management Act (FISMA) protects the personal information of individuals that is stored by federal agencies in the United States. This includes sensitive information like social security numbers and passport details.

What does nslookup command do?

The nslookup command is used to query a Domain Name System (DNS) server. It can be used to find the IP address associated with a domain name or to display the DNS server's configuration information.

What is a Denial of Service (DoS) attack?

A Denial of Service (DoS) attack attempts to overwhelm a system or network with excessive traffic, causing it to become unavailable to legitimate users. This can be a website, server, or any other online service.

What is multifactor authentication?

Multifactor authentication (MFA) requires users to provide multiple forms of verification to gain access to a system or application. This might include a password, a one-time code sent to a phone, or a fingerprint scan.

Study Notes

Network Issues and Response

• A network experiencing slow response times might indicate TCP ports are in a listening state, waiting for connections.
• Netstat -l command displays TCP ports in a listening state.

Incident Response Lifecycle

• Preparation: Mitigate the impact of the incident, report cause and cost, and steps to prevent future incidents.
• Detection and Analysis: Evaluate incident indicators (legitimate attacks vs. illegitimate), and alert the organization.
• Containment, Eradication, and Recovery: Establish incident response capability to secure organizational assets.

Hypervisor Purpose

• Creates and runs virtual machines.

Operating System Monitoring

• Security teams track operating system versions, security updates, and patches on devices, typically through asset management.

Internal Network Spoofing Prevention

• DNS records can help prevent internal network spoofing.

Security and Performance Issues

• Two private IPv4 addresses that should be blocked on the internet for security and performance reasons are 192.168.18.189 and 203.0.113.168.

Risk Management

• Risk reduction: Implementing measures to lessen the negative impacts of risks.
• Risk avoidance: Choosing not to engage in activities that might involve risks.
• Risk acceptance: Acknowledging the risks but not taking actions to prevent them.
• Risk transfer: Passing risk to a third party.

CIA Triad

• Confidentiality: Data is accessible only to authorized users.
• Integrity: Data cannot be altered without authorization.
• Availability: Data is accessible to authorized users when required.

Cybersecurity Threats

• Spear phishing: Targeted phishing attacks attempting to steal sensitive data.
• Smishing: Phishing attacks via SMS or text messages.
• Ransomware: Malicious software that encrypts data and demands payment for decryption.
• Vishing: Phishing attacks using voice calls.

Network Troubleshooting

• Implement MAC address filtering to prevent an unknown host from attaching to a network.
• Block the host's IP address.

Risk Management Phases

• Choosing risk strategies: Selecting strategies for dealing with identified risks.
• Measuring residual risk: Assessing how much risk is left after mitigation actions.
• Mitigating risks: Taking steps to reduce or eliminate the risks.
• Determining a risk profile: Understanding and categorizing an organization's risks.

Attack Types

• Man-in-the-middle (MitM): An attacker intercepts communication between two parties.
• Advanced Persistent Threat (APT): A prolonged and sophisticated attack aimed at persistent access and significant damage.
• Distributed Denial-of-Service (DDoS): Flooding a target with traffic to overwhelm it.
• Ransomware: Malicious software that encrypts data and demands payment for decryption.

Security and Accessibility

• VPN is a security method for accessing a company's secure network remotely.

Data Protection

• Hard disk encryption protects data at rest.

Network Protocols for Secure Transfers

• SSH can encrypt files transferred over an unsecured network.

Cybersecurity Tools

• Nmap, Nessus Scanner, CVSS, Firewall and Patch Management Software.

Windows Operating System Logs

• Windows logs track system activity, which can be viewed in Windows Event Viewer (System logs, Application logs, Security logs).

Threat Intelligence Portals

• Threat intelligence portals are used to analyze suspicious URLs.

Authentication Methods

• Multifactor authentication involves using multiple methods to confirm a user's identity (e.g., password, code sent via phone).

Control Measures

• Detective measures: Identify threats and events.
• Preventive measures: Prevent threats from occurring.
• Corrective measures: Respond to and resolve detected threats and incidents.

Disaster Recovery

• Natural disasters like floods and hazardous material spills can require disaster recovery plans.

Network Device Troubleshooting

• To fix wireless printing issues, a new device driver may be required.

Active Reconnaissance

• Activity like looking at HTTP source code of a website to gather info.

Remote Access Procedures

• Disable telnet to force more secure authentication methods.

Cybersecurity Tools and Purposes

• SIEM (Security Information and Event Management) systems can be used to detect anomalies in user activity.
• Log files contain information about programs running on the device, software installations, hardware/driver operations, and policy successes/failure.
• Vulnerability databases are helpful but can take time for reporting/investigation before being adopted by security platforms.

Description

This quiz delves into network security concepts, incident response lifecycle, hypervisor functionality, and operating system monitoring. Explore how to effectively address network issues, prepare for incidents, and prevent spoofing while ensuring system security.