Mockup 01 - Explanation of MCQs

Replay Attack: Threat actors try to spoof the source IP address of a client and redirect their
system to send the same data repeatedly to a targeted server with a malicious payload.
Packet Capture: A monitoring tool that intercept and store network data.
System Network Management Protocol: A protocol that enables network administrators to
monitor and manage network performance.
Vulnerability Testing: It is used to find ways that a system could be exploited.
Vulnerability Scanning: It is used to search for vulnerabilities on a system or network.
Watering Hole: It is a type of attack which attempts to lure victims to an infected website.
Pharming: This type of attack involves directing an internet user to fake websites.
Whaling: This type of attack involves targeting a high profile victim.
Mitigation: It lesson the likelihood or severity of an exploit.
Remediation: Remediation is fully resolving the vulnerability’s chance of being exploited.
Evaluating: Evaluation helps in identifying vulnerabilities, assessing the likelihood of security
events, and understanding the potential consequences of these occurrences.
Windows Update Baseline: It is a toolkit that allows an administrator to ensure that the devices
on the respective network receive the latest monthly security updates in a timely manner.
Windows Server Update Services (WSUS) Server: It can be used to roll out Windows updates
and sets an update source for network computers but will not provide a baseline to see if
compliance goals are met.
Security Policy Template: Rules that administrators configure on computers for the purpose of
protecting resources but not for the purpose of updating compliance goals.
Account Security Policies: Used through the local GPO (Group Policy) editor to define security
configurations but not for updating compliance goals.
OpenSSL: General-purpose Cryptography Linux tool.
Metasploit: A penetration testing tool that is used to exploit an asset to determine if it is
vulnerable. It provides information about vulnerabilities and aids in penetration testing and IDS
signature development.
Wireshark: It is a protocol analyzer tool.
WEP: Alternative encryption mechanism to WPA2-Enterprise.
PSK: It uses a pre-shared key instead of an authentication server.
Types of Log Files:
 Data Log: Used to analyze specific trends by logging events/actions through which data,
files, or applications are stored, accessed or modified on a storage device or application.
 System Log: Used to view events that are updated by the OS components, such as device
drivers, events and operations.
 Security Log: Used to view security events on a system.
 Setup Log: Record information about the installation of s/w, including Windows Updates.
 Application Log: Records information logged by applications hosted on the local machine.
 File Replication Services Log: Used to record replication events on a domain controller.
SSID Cloaking: Require specific knowledge of the SSID to access the wireless network but
does not encrypt the wireless traffic that is transmitted.
MAC Filtering: Restrict specific drivers from accessing the wireless network, but does not
encrypt the wireless traffic that is transmitted.
WPA3: It provides a more secure encryption method for wireless traffic.
Nmap: It can be used to perform port scans to determine what services are running on a system.
Nslookup: It is a tool for discovering domain name to IP address mappings.
HPING: It is a TCP/IP packet analyzer tool.
WLAN: It is a wireless computer network that links multiple wireless devices to form a LAN
within a limited area.
Ping Flood: Threat actors try to overwhelm the target system by echo requests packets.
Script Block Logging: This can be enabled through the Policy Editor or directly in the registry.
Windows Defender Firewall Monitoring: Used to track firewall activities.
Virus and Threat Protection Notifications: Used for antivirus-related information.
System Testing: Used to test how software integrates with a system.
Full Backup: These are most secure, reliable method of copying data.
Incremental Backup: Stores all changes that were made since the previous backup.
Differential Backup: Only Store changes made to files since last backup.
Mirror Backup: An exact copy is made of the source data.
/var/log/secure: Contains information related to authentication and authorization privileges.
/var/log/messages: Contains global system messages, including the messages that are logged
during system startup.
/var/log/cron: Records events related to the cron deamon.
/var/log/mailing: Contains the log information from the mail server that is running on the
system.
SPAN: SPAN is Switch Port Analyzer for port mirroring.
SCAP: Automates system vulnerability management and security compliance evaluation.
Encryption File System: A feature introduced in version of NTFS provides file- encryption.
Distributed File System: It is file system that is distributed on multiple file servers.
Sandboxing: It separates a program from the operating system.
Integrity Checking: It examines files to see if they have changed.
“clear-screen” Policy: Directs all the organization’s employees to lock their computers when
leaving their desks by logging off. This prevents unauthorized use of the computer and protects
the privacy of its contents.
.pcap file: A PCAP file is a packet capture created by Wireshark, a free network data analysis
program. It contains network packet data that Wireshark intercepted and logged while
monitoring a network. Network administrators use PCAP files to diagnose network problems and
detect malicious network activity.
.data file: A DATA file is a data file used by Analysis Studio, a statistical analysis and data
mining program. It contains mined data in a plain text, tab-delimited format, including an
Analysis Studio file header.
CybOX: It is a standardized schema that supports cybersecurity functions.
STIX: It is a set of specifications for exchanging cyber threat information (CTI).
TAXII: It is the specification for a protocol designed to support STIX.
FileEye Hlix: It is not a standard but it is a security platform.
Cisco Talos: Not a standard, but rather a threat intelligence team for protecting enterprise users,
data and information.
Automated Indicator Sharing 9AIS): AIS is provided for free by the U.S. Department of
Homeland Security (DHS). AIS enables the real-time exchange of cyber threat indicators (e.g.,
malicious IP addresses, the sender address of a phishing email, etc.) between the U.S. Federal
Government and the private sector.
Common Vulnerability Scoring System (CVSS): This answer is incorrect. The CVSS is
maintained by FIRST. It is an assessment tool that assigns a score to a vulnerability. The numeric
score can be used to determine the urgency of the vulnerability and the priority of addressing it.
Information Security Plan: It is about security policies to be implemented.
Preventive Control Specifications: It only deals with how disasters can be prevented.
Recovery Point Objectives: Identify the maximum amount of data that can be lost after the
recovery from a disaster.
U.S. Department of Homeland Security (DHS): U.S. Department of Homeland Security
(DHS): This answer is incorrect. DHS Automated Indicator Sharing (AIS) is a free service
provided to US private sector and governmental organizations. When a threat is reported, AIS
immediately shares cyber threat indicators in STIX format with the registered community.
Forum of Incident Response and Security Teams (FIRST): This answer is correct. FIRST is a
security organization that maintains the Common Vulnerability Scoring System (CVSS), The
CVSS is an assessment tool that assigns a score to a vulnerability. The numeric score can be used
to determine the urgency of the vulnerability and the priority of addressing it.
SysAdmin, Audit, Network, Security (SANS) Institute: This answer is incorrect. The SANS
Institute provides security training, certifications, and free resources including the Internet Storm
Center, NewsBites news articles, @RISK weekly digest, and flash security alerts.
DNS Hijacking: In this attack, threat actors change the A record for your domain’s IP address to
point to a predetermined address of their choice.
Event Viewer: This answer is correct because Event Viewer is a built-in Windows application
that lets you check the events that take place on your computer, by giving you access to logs
about program, security, and system events.
Task Manager: This answer is incorrect because Task Manager allows you to monitor the
applications, processes, and services running on your computer.
Device Manager: This answer is incorrect because Device Manager provides users an
organized, central view of the Windows-recognized hardware attached to a computer.
Management Console: This answer is incorrect because the Management Console is a graphical
user interface with a programming framework that can help the user to generate, edit, save, and
open consoles.
Smurf Attack: In a smurf attack, threat actors will spoof the source address of the ICMP packet
and send a broadcast to all computers on that network to generate enough broadcast traffic to
compromise the network.
Fingerprinting: Fingerprinting is a technique used to exploit the vulnerability in the ICMP echo
packet to obtain details of the operating system on the target computer.
Teardrop Attack: A teardrop attack is when threat actors exploit overlapping IP fragments
present in the target system. When the destination target tries to reassemble them, it cannot do so
and fails, which causes the target system to reboot or crash.
Competitors: They use attacks against business competitors.
Diffi-Hellman: It is an asymmetric encryption algorithm.
RADIUS: RADIUS server is the only supported authentication server for 802.1x.
LDAP: LDAP is a protocol for accessing directory services.
TACACS+: TACACS+ is a security protocol for accessing networks, but it is not supported by
802.1x.
Hostname: The hostname field indicates the server on which the message originated.
Severity: The severity describes the importance of the message.
Facility: The facility describes the application or operating system component that originated the
message.
Timestamp: The syslog message consists of three parts: PRI, HEADER, and MSG. The header
contains the timestamp and hostname.
Defender Credential Guard: It is a Windows feature that uses virtualization-based security to
isolate secrets so that only privileged system software can access them.
Incident response requires policies, plans, and procedures.
 The correct response for "Incident Response Policy" is "Details the purpose, objectives,
and scope for incident response and includes the prioritization of incidents and performance
measures."
 The correct response for "Incident Response Plan" is "Details the organizational approach,
strategies, and resources for incident response and includes how the team will communicate
with internal and external parties."
 The correct response for "Incident Response Procedures" is "Includes comprehensive and
detailed standard operating procedures (SOPs) to be followed during an incident response."
Application control: This answer is incorrect because it is a security practice that blocks or
restricts unauthorized applications from executing in ways that put data at risk on production
systems. However, it does not allow for testing the software patches in a sterile environment.
The syslog logging levels and what they represent are as follows:
 Emergency - System is unusable
 Alert - Should be corrected immediately
 Critical - Critical conditions
 Error - Error conditions
 Warning - May indicate an error will occur if action is not taken
 Notice - Events that are unusual but not error conditions
 Informational - Normal operational events that require no action
 Debug - Information useful to developers
Metered connections: You can set the network connections as metered connections. On a
metered connection, Windows won't download feature updates, though it will still download
critical patches and security updates.
SFC (System File Checker): SFC is used to check the integrity of the Windows system files.
Scheduler: Windows scheduler is used to carry out tasks at pre-determined times.
Digital certificate: A digital certificate is similar to a virtual ID card and is used to authenticate
the identity of a system with a vendor website and establish an encrypted connection to exchange
confidential data.
Website domain name: A threat actor could spoof a domain name.
Website IP address: A threat actor could redirect the website address to an alternate IP address.
Code signing: Code signing is used to verify the integrity of executable files downloaded from
the website but not for authentication or verification of the website.
NetFlow: It is a system that collects information on packets flowing through the network.
US Government Federal Information Processing Standard (FIPS): FIPS is responsible for
ensuring that software available for download on the internet is digitally signed and verified by a
trusted certificate authority.
Update history: You can view the failed Windows updates under the Update History.
System Information panel: Windows 10 System Information Panel is used to view a list of
details about your operating system, computer hardware, and software components but not for
failed Windows updates.
Virtualized sandbox: It provides a safe, isolated environment to test out the effects and security
of the patch.
Non-production system: Any security flaws in the patch could compromise the corporate
network. It would also be difficult to replicate different environments to test the patch.
Baseline image: This is the starting point of a singular environment and is open to security flaws
that may compromise the network.
Windows Server Update Services: It is a tool to manage update services, but it does not
provide a separate environment to verify a patch.
"Natural disasters" is "Hardened facilities and alternate sites". Natural disasters can be
mitigated by hardening facilities and providing alternate sites so as to not disrupt the operations
of the organization.
"Cyber attack" is "Firewalls, IDS and IPS, Log Analyzers". Cyber attacks can be mitigated
by deploying firewalls, intrusion detection, and prevention systems and by using log analyzers.
"Supply chain disruptions" is "Alternate sources, inventory management". Supply chain
disruptions can be mitigated by obtaining alternate sources or by employing inventory
management systems.
"Employee errors" is "Standard procedures, training". Employee errors can be mitigated by
creating Standard Operating Procedures and providing sufficient employee training.
Quarantined Network: Provides an isolated environment for computers that are not in
compliance with security standards. They are placed here after a user logs on and security
standards are not met.
How should a cybersecurity technician start a firmware update implementation plan?
 By evaluating and prioritizing updates against the potential for disruption to users and
systems: This answer is correct because firmware updates can cause a lot of downtime on
critical systems and this should be the first step in approaching a firmware update
implementation plan.
 By forcing all firmware updates to run first in virtual machines to test their integrity:
This answer is incorrect because you cannot test firmware updates in a virtual environment.
Firmware updates take place below the kernel layer and at the hardware abstraction layer.
 By running WSUS to avoid system disruptions caused by the updates: This answer is
incorrect because WSUS (Windows Server Update Service) is used to fully manage the
distribution of updates that are released through Microsoft Update to computers on the
network and not for firmware updates.
 By creating a Group Policy security object to specify off-peak hours for all firmware
updates: This answer is incorrect because GPOs are used to establish security settings,
install applications, run scripts, set group preferences, and configure the registry.
Run the nslookup set srchlist command: This answer is correct because it allows
modifications to the search list.
Run the nslookup set querytype command: This answer is incorrect because it changes a
query's resource record type.
Run the nslookup set search command: This answer is incorrect because it adds the DNS
domain name in the DNS domain search list to the request until a response is received.
Run the nslookup set type command: This answer is incorrect because it changes a query's
resource record type.
GRE Terminal: Not secure.
WoS: Quality of service is used to control n/w performance.
VLAN: VLAN is a layer 2 broadcast domain.
Threat Intelligence Data Collected by Threat Intelligence Platforms:
 Indicators of compromise: This answer is correct because indicators of compromise (IOC)
are one of the three major types of threat intelligence data centralized and collected by threat
intelligence platforms (TIP).
 Reputation information: This answer is correct because reputation information about
internet destinations is one of the three major types of threat intelligence data centralized and
collected by threat intelligence platforms (TIP).
 Tools, techniques, and procedures: This answer is correct because tools, techniques, and
procedures (TTP) are one of the three major types of threat intelligence data centralized and
collected by threat intelligence platforms (TIP).
Standard operating procedures: Focused on a specific organization's computer security
incident response capabilities.
Incident response capability: Focused on creating policies, plans, and procedures for an
organization.
MDM (Mobile Device Management) software: MDM is a security software that allows for the
implementation of policies that secure, monitor, and manage end-user mobile devices including
asset tracking.
RFID (Radio Frequency Identification) tagging: RFIDs use radio frequency for the purpose of
asset management and are localized in terms of the distance where the tracker and the beacon are
placed.
Object Access: It determines attempts to access files and other objects.
Process Tracking: It determines events such as program activation and process exits.
Directory Services: It determines whether the operating system generates audit events when an
Active Directory Domain Services (AD DS) object is accessed.
Audit Logon: It determines whether the operating system generates audit events when a user
attempts to log on to the computer.
"Audit process" is "An independent examination of records and activities to determine if
controls exist to ensure compliance with established security policies."
"Information assurance" is "Documentation which provides a high degree of confidence that
adequate network and data security measures are in place.
"Security assessment" is "Processes and procedures to evaluate the security of an entire system
or in response to a single event."
"System monitoring" is "Real-time and ongoing awareness of activity on the network and the
attached devices in order to look for anomalies."
Spyware: A program that collects information about users, systems, and browsing habits.
Network Segmentation: It divides the n/w up into logical groups to control access to n/w
resources.
Jailbreaking: It is an attempt to bypass user account restrictions on an iOS device.
Rooting: It is an attempt to gain root privileges on an Android device.
Cracking: It is a technique used to breach computer software or a computer system.
Trespassing: It is the act of intentionally accessing a system without having authorization.
chmod: It is the command to change file permissions.
chown: It is a command to change file ownership.
chgrp: It is a command to change group ownership.
mkdir: It is the command to create a directory.
In which order should you collect digital evidence from a computer system?
 Contents of RAM, Contents of Fixed Disk, Archived Backup: This answer is correct
because the contents of RAM are the most volatile and the contents of an archived backup
are the least volatile.
 Contents of Fixed Disk, Contents of RAM, Archived Backup: This answer is incorrect
because a fixed disk is less volatile than the contents of RAM.
 Contents of Fixed Disk, Archived Backup, Contents of RAM: This answer is incorrect
because the contents of RAM are more volatile than the contents of a fixed disk or an
archived backup.
 Archived Backup, Contents of Fixed Disk, Contents of RAM: This answer is incorrect
because an archived backup is the least volatile.
GnuPG: An encryption tool used in Linux computers.
Zero Day Attack: It is an attack against vulnerabilities that vendors have only just learned about
and have no chance to address it.
Attack Attribution: Refers to the process of determining who was responsible for an intrusion
or attack.
Direct Evidence: It describes evidence that was directly in the possession of the accused.
Security Policy: A security policy is a set of standardized practices and procedures designed to
protect a business's network from threat actors.
Identification and Authentication policy: This policy specifies which authorized people can
have access to network resources and outlines verification procedures for those users.
Acceptable Use policy: This policy defines a set of rules to be followed by users or customers
for various computing resources.
Network Access policy: This policy identifies network resources and usage that are acceptable
to the organization.
Network Maintainance policy: This policy specifies update procedures for network device
operating systems and end-user applications.
Remote Acess policy: This policy defines the access conditions for users connecting into the
network across the WAN (access permissions).
Password policy: This policy deals with the length, number, and type of characters that can be
used to log into the network.
Malicious insider: An employee steals confidential technical specifications for a product for
personal gain. Malicious insiders make planned attacks to steal information for their own
personal gain.
Negligent insider: An employee takes home a storage drive without authorization, which is then
stolen from the employee's vehicle. The employee took something without authorization without
any malicious intent.
Compromised insider: An employee gives their credentials to an attacker in a spear fishing
attack, and the attacker uses the credentials to launch further attacks. The employee was the
victim of a social engineering attack which led to their account being compromised.
CAM Table Overflow: In a CAM Table Overflow attack the attacker floods a switch with
bogus frames with fake source MAC addresses until the switch CAM table is full.
netstat -o command: It will list all applications on the network and the TCP connections
associated with them.
netstat -a command: It will display a list of active TCP connections, but not the applications on
the network.
netstat -e command: It will display ethernet statistics but not information about active TCP
connections or applications on the network.
netstat -r command: It will display contents of the routing table but not information about
active TCP connections or applications on the network.
Incident Response Plan: It is concerned with how employees respond to individual incidents,
not a broad plan for business continuity.
Infrastructure Purchasing Plan: It is concerned with the acquisition of infrastructure
equipment
Cybersecurity Plan: It is about an organization's security policies, processes, and defensive
measures.
Asset management: It is concerned with accounting for and maintaining assets.
Configuration management: It is concerned with keeping IT system configurations consistent.
Sweep scan: It tries to find out which hosts on a network have a specific port open.
Vanilla scan: It tries to locate open ports by scanning all 65,536 ports at the same time.
Bounce scan: It is a technique used by an attacker to disguise their location.
Ping scan: It sends ICMP packets to get a response from the target hosts.
DES (Data Encryption Standard): A legacy symmetric encryption algorithm.
chroot: This command allows a user to change the root directory.
sudo: It enables users to run commands with superuser privileges.
chmod: It is used to change the access permissions of file system objects.
su: It allows a user to run commands with another user's privileges.
Forensic Process: Provides guidance in developing digital forensics plans using a four-phase
process.