Network Security and Incident Response

Questions and Answers

Which data type is protected through hard disk encryption?

Data at rest (correct)

Data in process

Data in use

Data in transit

Which protocol should you use to encrypt configuration files in transit over an unsecured network?

TFTP

SSH (correct)

Telnet

HTTP

What does a Warning severity message from a DNS server indicate?

The server has a hardware error that does not require immediate attention

The DNS server is unusable due to a severe malfunction and is shutting down

An error condition is occurring that must be addressed immediately (correct)

A condition exists that will cause errors in the future if the issue is not fixed

Where should you go to view the scan result after completing a full scan of a Windows 10 PC?

Windows Security

What action should you take to determine if a suspicious URL is malicious?

Submit the URL to a threat intelligence portal for analysis

What should you do when the company intranet site isn't accepting login information and shows misspellings?

Restore a backup copy of the authentication database

What does the CVSS tool primarily assist with in Vulnerability Management?

Evaluating the severity of vulnerabilities

Which cybersecurity tool would likely be used for patch management?

Patch Management Software

What does the Listening state indicate about the TCP ports when using the netstat -l command?

The ports are open on the system and are waiting for connections.

Which NIST incident response lifecycle phase focuses on mitigating the impact of an incident?

Containment, Eradication and Recovery

What is the primary function of a hypervisor in a virtualized environment?

It creates and runs virtual machines.

Which process allows the network security team to monitor the operating system version and updates on devices?

Security policies and procedures.

What type of entry should be created to prevent spoofing of the internal network?

An ACL.

Which two private IPv4 addresses are typically blocked on the internet for security reasons? (Choose 2)

192.168.18.189

During a risk evaluation, which risks related to a web server should be considered?

Hardware failure and software failure.

In the context of incident response, what is the primary focus of the post-incident activity phase?

Reporting the cause and costs of the incident.

What immediate action should be taken to scan affected workstations and remove malware?

Scan affected workstations and remove malware

What does the command 'ls -l' do in a Linux terminal?

To display the file permission and ownership of the executable file

Which device is most appropriate for filtering websites available to employees on the company network?

Proxy server

What term best describes a weakness that potentially exposes organizations to cyber attacks?

Vulnerability

Which action should be classified under containment when addressing a worm infection?

Remove or block infected system from the network

What is the potential for loss, damage, or destruction classified as?

Risk

What treatment approach involves cleaning and patching the infected system?

Mitigation

Which type of endpoint attack is characterized by overwhelming a service with excessive traffic?

DDoS

Which action likely caused the hacker to gain root access on a Linux server?

Accessing the server as a guest

Which wireless encryption technology relies on AES for securing home networks?

WPA2

Which of the following is NOT considered an authentication factor in a multifactor authentication scenario?

Something you earn

What is an example of corrective measure control in cybersecurity?

Restoring a system after an event

Which two disasters would necessitate a company's implementation of a disaster recovery plan?

Volcanic eruptions

What should be done if a laptop user cannot print to their wireless printer after an OS update?

Install a new device driver for the wireless printer

Which activity exemplifies active reconnaissance during a penetration test?

Performing an Nmap port scan on the LAN to determine types of connected devices and open ports

An analyst accesses employee data on a company server without authorization. This action is considered:

A breach of the cybersecurity code of ethics

Which framework is primarily responsible for protecting healthcare information of individuals?

HIPAA

What type of cybersecurity threat is indicated by repeated website crashes after restarting?

Denial of service

Which command can display the configured DNS server information and resolve a URL's IP address?

Nslookup

What type of authentication is demonstrated by entering a strong password along with a 5-digit code sent to your smartphone?

Multifactor

What does the process of hashing primarily ensure for communication?

Data integrity

Which of the following protects the personal information of members of the European Union?

GDPR

In the event of an alert concerning malicious files detected by the IDS, what is the recommended next step?

Log the alert and watch for a second occurrence

Which framework is responsible for protecting information about individuals stored by federal agencies?

FISMA

Which two actions should be taken immediately regarding telnet access on the corporate database server? (Choose 2)

Implement SSH access on the server.

Which activity by an adversary is an example of an exploit attempting to gain credentials?

Sending an email with a link to a fictitious web portal login page.

What is one basic metric to consider when assigning a severity to a vulnerability during assessment?

The impacts that an exploit of the vulnerability will have on the organization.

Which two disadvantages of public vulnerability databases should be noted? (Choose 2)

Threat actors can access the databases to learn how to vary their threats to avoid detection.

What type of events do application logs contain?

Events from programs running on the device.

Which action should NOT be taken when evaluating vulnerabilities?

Ignore historical data related to previous exploits.

Which log type records the success or failure of audit policy events?

Security logs

What should be a primary focus when considering a vulnerability's potential for exploitation?

The likelihood of an adversary exploiting it.

Study Notes

Network Issues and Response

• A network experiencing slow response times might indicate TCP ports are in a listening state, waiting for connections.
• Netstat -l command displays TCP ports in a listening state.

Incident Response Lifecycle

• Preparation: Mitigate the impact of the incident, report cause and cost, and steps to prevent future incidents.
• Detection and Analysis: Evaluate incident indicators (legitimate attacks vs. illegitimate), and alert the organization.
• Containment, Eradication, and Recovery: Establish incident response capability to secure organizational assets.

Hypervisor Purpose

• Creates and runs virtual machines.

Operating System Monitoring

• Security teams track operating system versions, security updates, and patches on devices, typically through asset management.

Internal Network Spoofing Prevention

• DNS records can help prevent internal network spoofing.

Security and Performance Issues

• Two private IPv4 addresses that should be blocked on the internet for security and performance reasons are 192.168.18.189 and 203.0.113.168.

Risk Management

• Risk reduction: Implementing measures to lessen the negative impacts of risks.
• Risk avoidance: Choosing not to engage in activities that might involve risks.
• Risk acceptance: Acknowledging the risks but not taking actions to prevent them.
• Risk transfer: Passing risk to a third party.

CIA Triad

• Confidentiality: Data is accessible only to authorized users.
• Integrity: Data cannot be altered without authorization.
• Availability: Data is accessible to authorized users when required.

Cybersecurity Threats

• Spear phishing: Targeted phishing attacks attempting to steal sensitive data.
• Smishing: Phishing attacks via SMS or text messages.
• Ransomware: Malicious software that encrypts data and demands payment for decryption.
• Vishing: Phishing attacks using voice calls.

Network Troubleshooting

• Implement MAC address filtering to prevent an unknown host from attaching to a network.
• Block the host's IP address.

Risk Management Phases

• Choosing risk strategies: Selecting strategies for dealing with identified risks.
• Measuring residual risk: Assessing how much risk is left after mitigation actions.
• Mitigating risks: Taking steps to reduce or eliminate the risks.
• Determining a risk profile: Understanding and categorizing an organization's risks.

Attack Types

• Man-in-the-middle (MitM): An attacker intercepts communication between two parties.
• Advanced Persistent Threat (APT): A prolonged and sophisticated attack aimed at persistent access and significant damage.
• Distributed Denial-of-Service (DDoS): Flooding a target with traffic to overwhelm it.
• Ransomware: Malicious software that encrypts data and demands payment for decryption.

Security and Accessibility

• VPN is a security method for accessing a company's secure network remotely.

Data Protection

• Hard disk encryption protects data at rest.

Network Protocols for Secure Transfers

• SSH can encrypt files transferred over an unsecured network.

Cybersecurity Tools

• Nmap, Nessus Scanner, CVSS, Firewall and Patch Management Software.

Windows Operating System Logs

• Windows logs track system activity, which can be viewed in Windows Event Viewer (System logs, Application logs, Security logs).

Threat Intelligence Portals

• Threat intelligence portals are used to analyze suspicious URLs.

Authentication Methods

• Multifactor authentication involves using multiple methods to confirm a user's identity (e.g., password, code sent via phone).

Control Measures

• Detective measures: Identify threats and events.
• Preventive measures: Prevent threats from occurring.
• Corrective measures: Respond to and resolve detected threats and incidents.

Disaster Recovery

• Natural disasters like floods and hazardous material spills can require disaster recovery plans.

Network Device Troubleshooting

• To fix wireless printing issues, a new device driver may be required.

Active Reconnaissance

• Activity like looking at HTTP source code of a website to gather info.

Remote Access Procedures

• Disable telnet to force more secure authentication methods.

Cybersecurity Tools and Purposes

• SIEM (Security Information and Event Management) systems can be used to detect anomalies in user activity.
• Log files contain information about programs running on the device, software installations, hardware/driver operations, and policy successes/failure.
• Vulnerability databases are helpful but can take time for reporting/investigation before being adopted by security platforms.

Description

This quiz delves into network security concepts, incident response lifecycle, hypervisor functionality, and operating system monitoring. Explore how to effectively address network issues, prepare for incidents, and prevent spoofing while ensuring system security.