200-201 Questions and Answers

SQL injection

dictionary

replay

cross-site scripting

static IP addresses

signatures

digital certificates

cipher suite

port scan

SYN flood

man-in-the-middle

phishing

teardrop

Recovery

Detection

Eradication

Analysis

extended sleep calls

encryption

resource exhaustion

encoding

ARP flood

DNS amplification

ARP poisoning

DNS tunneling

TCP connections

ping of death

man-in-the-middle

code-red

UDP flooding

employee 5

employee 3

employee 4

employee 2

action on objectives

delivery

exploitation

installation

Managing a vulnerability assessment report to mitigate potential threats.

Focusing on proactively detecting possible signs of intrusion and compromise.

Pursuing competitors and adversaries to infiltrate their system to acquire intelligence data.

Attempting to deliberately disrupt servers by altering their availability

A security practice focused on clarifying and narrowing intrusion points.

A security practice of performing actions rather than acknowledging the threats.

A process to identify and remediate existing weaknesses.

A process to recover from service interruptions and restore business-critical applications

total throughput on the interface of the router and NetFlow records

output of routing protocol authentication failures and ports used

running processes on the applications and their total network usage

deep packet captures of each application flow and duration

Stateful inspection is capable of TCP state tracking, and deep packet filtering checks only TCP source and destination ports

Deep packet inspection is capable of malware blocking, and stateful inspection is not

Deep packet inspection operates on Layer 3 and 4. and stateful inspection operates on Layer 3 of the OSI model

Deep packet inspection is capable of TCP state monitoring only, and stateful inspection can inspect TCP and UDP.

Stateful inspection is capable of packet data inspections, and deep packet inspection is not

Personally Identifiable Information (Pll)

Payment Card Industry (PCI)

Protected Hearth Information (PHI)

Intellectual Property (IP)

Sarbanes-Oxley (SOX)

social engineering

eavesdropping

piggybacking

tailgating

10.0.0.2 sends GET/ HTTP/1.1 And Post request and the target responds with HTTP/1.1. 200 OC and HTTP/1.1 403 accordingly. This is an HTTP flood attempt.

10.0.0.2 sends HTTP FORBIDDEN /1.1 And Post request, while the target responds with HTTP/1.1 200 Get and HTTP/1.1 403. This is an HTTP GET flood attack.

10.128.0.2 sends POST/1.1 And POST requests, and the target responds with HTTP/1.1 200 Ok and HTTP/1.1 403 accordingly. This is an HTTP Reserve Bandwidth flood.

10.128.0.2 sends HTTP/FORBIDDEN/ 1.1 and Get requests, and the target responds with HTTP/1.1 200 OK and HTTP/1.1 403. This is an HTTP cache bypass attack.

Stateful inspection verifies contents at Layer 4. and deep packet inspection verifies connection at Layer 7.

Stateful inspection is more secure than deep packet inspection on Layer 7.

Deep packet inspection is more secure than stateful inspection on Layer 4.

Deep packet inspection allows visibility on Layer 7, and stateful inspection allows visibility on Layer 4.

date of birth

driver's license number

gender

zip code

NetScout

tcpdump

SolarWinds

netsh

data availability

data normalization

data signature

data protection

privileges required

user interaction

attack complexity

attack vector

forgery attack

plaintext-only attack

ciphertext-only attack

meet-in-the-middle attack

statistical data

session data

connectivity data

alert data

Tapping interrogation replicates signals to a separate port for analyzing traffic

Tapping interrogations detect and block malicious traffic

Inline interrogation enables viewing a copy of traffic to ensure traffic is in compliance with security policies

Inline interrogation detects malicious traffic but does not block the traffic

encapsulation

TOR

tunneling

NAT

queries Linux devices that have Microsoft Services for Linux installed

deploys Windows Operating Systems in an automated fashion

is an efficient tool for working with Active Directory

has a Common Information Model, which describes installed hardware and software

TCP rule that detects TCP packets with the SYN flag in an external FTP server

TCP rule that detects TCP packets with a SYN flag in the internal network

TCP rule that detects TCP packets with a ACK flag in the internal network

TCP rule that detects TCP packets with the ACK flag in an external FTP server

the intellectual property that was stolen

the defense contractor who stored the intellectual property

the method used to conduct the attack

the foreign government that conducted the attack

SQL injection

cross-site scripting

cross-site request forgery

command injection

by most active source IP

by most used ports

based on the protocols used

based on the most used applications

The traffic would have been monitored at any segment in the network.

Malicious traffic would have been blocked on multiple devices

An extra level of security would have been in place

Detailed information about the data in real time would have been provided

legal

compliance

regulated

contractual

cross-site scripting

man-in-the-middle

SQL injection

denial of service

transaction data

location data

statistical data

alert data

phishing email

sender

HR

receiver

Bridge the single connection into multiple.

Divide the network into parts

Split packets into pieces.

Reduce the load on network devices.

Implement the patch management process

frame check sequence

alert data

full packet

session logs

management and reporting

traffic filtering

adaptive AVC

metrics collection and exporting

application recognition

traffic fragmentation

port scanning

host profiling

SYN flood

alert data

transaction data

session data

full packet capture

[a−z]+

[^a−z]+

a−z+

a*z+

The threat actor used a dictionary-based password attack to obtain credentials.

The threat actor gained access to the system by known credentials.

The threat actor used the teardrop technique to confuse and crash login services.

The threat actor used an unknown vulnerability of the operating system that went undetected.

man-in-the-middle attack

ARP poisoning

brute-force attack

SQL injection

central key management server

web of trust

trusted certificate authorities

registration authority data

split brain

scanning

phishing

reflected

direct

HTTPS is used internally and screening traffic (or external parties is hard due to isolation.

The communication is encrypted and the data in transit is secured.

Digital certificates secure the session, and the data is sent at random intervals.

Traffic is tunneled to a specific destination and is inaccessible to others except for the receiver.

A policy violation is active for host 10.10.101.24.

A host on the network is sending a DDoS attack to another inside host.

There are three active data exfiltration alerts.

A policy violation is active for host 10.201.3.149.

A vulnerability is a sum of possible malicious entry points, and a risk represents the possibility of the unauthorized entry itself.

A risk is a potential threat that an exploit applies to, and a vulnerability represents the threat itself

A vulnerability represents a flaw in a security that can be exploited, and the risk is the potential damage it might cause.

A risk is potential threat that adversaries use to infiltrate the network, and a vulnerability is an exploit

destination IP address

TCP ACK

HTTP status code

URI

Nagios

CAINE

Hydra

Wireshark

application identification number

active process identification number

runtime identification number

process identification number

an organizational approach to events that could lead to asset loss or disruption of operations

an organizational approach to security management to ensure a service lifecycle and continuous improvements

an organizational approach to disaster recovery and timely restoration of operational services

an organizational approach to system backup and data archiving aligned to regulations

Tampered images have the same stored and computed hash.

Untampered images are deliberately altered to preserve as evidence.

Tampered images are used as evidence.

Untampered images are used for forensic investigations.

referrer

host

user-agent

accept-language

decrypts data with one key

fast data transfer

secure data transfer

encrypts data with one key

Cross-Site Scripting attack

XML External Entitles attack

Insecure Deserialization

Regular GET requests

Confidentiality of the data is kept secure and permissions are validated

Data is accessible and available to permitted individuals

Data is unaltered and its integrity is preserved

Data is secure and unreadable without decrypting it

crgrrgre

np+e

c(rgr)e

ce

man-in-the-middle attack

smishing

phishing attack

integrity violation

DNS hijacking

DNS tunneling

DNS flooding

DNS amplification

integrity

availability

accessibility

confidentiality

Encryption analysis is used by attackers to monitor VPN tunnels.

Encryption is used by threat actors as a method of evasion and obfuscation.

Encryption introduces additional processing requirements by the CPU.

Encryption introduces larger packet sizes to analyze and store.

host-based intrusion detection

systems-based sandboxing

host-based firewall

antivirus

CSIRT

PSIRT

public affairs

management

proxy

NetFlow

IDS

sys

transaction data

statistical data

session data

full packet capture

examination

investigation

collection

reporting

gaining root access

executing remote code

reading and writing file permission

opening a malicious file

DAC requires explicit authorization for a given user on a given object, and RBAC requires specific conditions.

RBAC access is granted when a user meets specific conditions, and in DAC, permissions are applied on user and group levels.

RBAC is an extended version of DAC where you can add an extra level of authorization based on time.

DAC administrators pass privileges to users and groups, and in RBAC, permissions are applied to specific groups

An attack vector recognizes the potential outcomes of an attack, and the attack surface is choosing a method of an attack.

An attack surface identifies vulnerable parts for an attack, and an attack vector specifies which attacks are feasible to those parts.

An attack surface mitigates external vulnerabilities, and an attack vector identifies mitigation techniques and possible workarounds.

An attack vector matches components that can be exploited, and an attack surface classifies the potential path for exploitation

Identified a firewall device preventing the port state from being returned

Identified open SMB ports on the server

Gathered information on processes running on the server

Gathered a list of Active Directory users.

A binary named "submit" is running on VM cuckoo1.

A binary is being submitted to run on VM cuckoo1

A binary on VM cuckoo1 is being submitted for evaluation

A URL is being evaluated to see if it has a malicious binary

integrity

confidentiality

availability

scope

subnet

botnet

VLAN

command and control

workload and the configuration details

user accounts and SID

number of users and requests that the server is handling

functionality and purpose of the server

running services

colo?ur

col[0−8]+our

colou?r

col[0−9]+our

Run "ps -ef to understand which processes are taking a high amount of resources

Run "ps -u" to find out who executed additional processes that caused a high load on a server

Run "ps -m" to capture the existing state of daemons and map the required processes to find the gap

Run "ps -d" to decrease the priority state of high-load processes to avoid resource exhaustion

NetFlow

dnstools

firewall

tcpdump

SQL injection

man-in-the-middle

bluesnarfing

denial-of-service

A threat is a result of utilizing flow in a system, and an exploit is a result of gaining control over the system.

A threat is a potential attack on an asset and an exploit takes advantage of the vulnerability of the asset

An exploit is an attack vector, and a threat is a potential path the attack must go through.

An exploit is an attack path, and a threat represents a potential vulnerability

True positives affect security as no alarm is raised when an attack has taken place, while false positives are alerts raised appropriately to detect and further mitigate them.

True-positive alerts are blocked by mistake as potential attacks, while False-positives are actual attacks Identified as harmless.

False-positive alerts are detected by confusion as potential attacks, while true positives are attack attempts identified appropriately.

False positives alerts are manually ignored signatures to avoid warnings that are already acknowledged, while true positives are warnings that are not yet acknowledged.

spam emails on an employee workstation

virus detection by the AV software

blocked phishing attempt on a company

malware reinfection within a few minutes of removal

session duration

total throughput

running processes

listening ports

OS fingerprint