Chapter 13 Cybersecurity Toolkit

Question 1

• Set of security mitigation capabilities bundled together to help prevent malware from exploiting vulnerabilities and other attacks
• Includes: Data execution prevention (DEP) and Address space layout randomization (ASLR)

Answer 1

Enhanced Mitigation Experience Toolkit (EMET)

Question 2

Feature to prevent the execution of malware loaded into data space in memory

Answer 2

Data execution prevention (DEP)

Question 3

Helps prevent buffer overflows attacks and others that rely on specific acknowledge of memory locations

Answer 3

Address Space Layout Randomization (ASLR)

Question 4

Name the tools in the Windows Sysinternals Suite

Answer 4

• AccessEnum
• AutoRuns
• Process Explorer
• PsTools
• SDelete
• ShareEnum
• Sysmon
• ProcDump
• TCPView

Question 5

• Enumerates the access on a system
• Provides a good view of who has permissions to files, directories, and other objects
• Part of Windows Sysinternals Suite

Answer 5

AccessEnum

Question 6

• A utility that shows what programs start at login or system boot
• Part of Windows Sysinternals Suite

Answer 6

AutoRuns

Question 7

• Tool that shows the files, DLLs, registry keys and other objects in use by each process
• Part of Windows Sysinternals Suite

Answer 7

Process Explorer

Question 8

• Set of command line utilities with a broad range of functions, including process information and start/stop capabilities, event log dumping, password changes, and many others
• Part of Windows Sysinternals Suite

Answer 8

PsTools

Question 9

• Secure file deletion utility

- Part of Windows Sysinternals Suite

Answer 9

SDelete

Question 10

• Tool that analyzes shares and their permissions

- Part of Windows Sysinternals Suite

Answer 10

ShareEnum

Question 11

• Often used for intrusion detection and forensic analysis for its ability to monitor processes and their activity in a searchable and easily viewable manner
• Part of Windows Sysinternals Suite

Answer 11

Sysmon

Question 12

• Provides process dumping for memory and error analysis

- Part of Windows Sysinternals Suite

Answer 12

ProcDump

Question 13

• Tool for stock at level visibility for analyzing network connected services
• Part of Windows Sysinternals Suite

Answer 13

TCPView

Question 14

Standard for logging and is designed to allow logs to be created for an endpoint server, system, or device, and then be stored locally or sent to essential server or storage system

Answer 14

Syslog

Question 15

SIEM tool designed to provide large-scale data collection and analysis capabilities for broad range of data types

Answer 15

Splunk

Question 16

Provides SIEM functionality as well as asset discovery, vulnerability scanning and assessment, behavior (heuristic) analysis capabilities, and IDS capabilities

Answer 16

AlienVault’s Universal Security Manager (USM)

Question 17

An open source SIEM that integrates a number of Open Source tools to provide security information and event capabilities

Answer 17

AlienVault offers OSSIM

Question 18

A network graphing tool that runs on top of RRDtool (a data logging and graphing system) to allow recurring, time-based data collection and analysis

Answer 18

Cacti

Question 19

A network monitoring tool that leverages SNMP to monitor traffic on network connections

Answer 19

Multi Router Traffic Grapher (MRTG)

Question 20

Well-known and widely respected network vulnerability scanning product

Answer 20

Tenable Nessus

Question 21

A vulnerability scanner that uses Software-as-a-Service (SaaS) management console to run scans using appliances located both in on premise datacenters and in the cloud

Answer 21

Qualys’s QualysGuard

Question 22

Another commercial vulnerability scanner that offers similar capabilities to Nessus and QualysGuard

Answer 22

Rapid7’s Nexpose

Question 23

An open source vulnerability scanner

Answer 23

open source OpenVAS

Question 24

• Test for web specific vulnerabilities, such as SQL injections, cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities
• i.e. Nikto

Answer 24

Web application scanners

Question 25

Tools designed to help with acquisition of passwords

Answer 25

- fgdump - pwdump - SAMdump2

Question 26

Open source tool designed to crack passwords and hashes, including Linux, Windows, Kerberos and other frequently use password hashing methods

Answer 26

John the Ripper

Question 27

Open source password cracking tool that relies on rainbow tables to quickly look up hashes to return their original value

Answer 27

Ophcrack

Question 28

- Perform similar actions to their Network counterparts, seeking to identify and block potentially malicious network traffic - Not used a lot in production

Answer 28

Host intrusion prevention systems (HIPS)

Question 29

- Build a table of hash values for all files resident on a protected computer system and then monitors files for unexpected changes in those hash values - ie Tripwire - Mandated by PCI DSS

Answer 29

File Integrity Monitoring software

Question 30

- Has replaced nslookup for Mac OS and Linux | - Provides a little more detail than nslookup

Answer 30

Dig

Question 31

- Acts as a middleman between end-user systems and web servers - All web requests are sent to the server rather than direct connection between web server and end user clients

Answer 31

Proxy servers

Question 32

What are the benefits of using a proxy server over direct connections?

Answer 32

1. Proxy servers provide an opportunity to perform content filtering 2. Proxy servers may perform caching of frequently requested content - improve response time for users and decreases bandwidth consumption

Question 33

The majority of servers implementing TLS and SSL do so by using what open source library?

Answer 33

OpenSSL

Question 34

- Provide content and protocol-aware firewall and technical protections for web applications - Can be used to provide protection against zero-day attacks that are not patched but have known attack profiles by building custom rules that address the exploit

Answer 34

Web application firewall

Question 35

Name a couple of interception proxies

Answer 35

Burp Suite proxy | Zed attack proxy (ZAP)

Question 36

Name some popular Fuzzer tools

Answer 36

- Peach fuzzer - Untidy fuzzer - Microsoft security development lifecycle (SDL) includes: MiniFuzz file fuzzer and the SDL Regex Fuzzer

Question 37

The three major forensic image formats or what?

Answer 37

1. RAW 2. AFF 3. E01

Question 38

- Forensic image format | - Bit by bit copies of the original format. Metadata is sometimes acquired along with this image and stored separately

Answer 38

RAW

Question 39

- Forensic image format | - An open extensible forensic format for disk images and metadata

Answer 39

AFF Advanced Forensic Format

Question 40

- Forensic image format - Commonly used for law enforcement investigations ENCase file format

Answer 40

E01

Question 41

What are some stand-alone imaging utilities available?

Answer 41

- dd - OSFColone - FTK Image

Question 42

Guidance Software commercial forensic suite, provides a GUI driven full forensics week

Answer 42

EnCase

Question 43

Complete commercial forensic suite provided by access data

Answer 43

FTK, the Forensic Toolkit

Question 44

- Toolkit built using open-source tools and it's based on Ubuntu Linux - Popular forensic suite

Answer 44

SANS SIFT

Question 45

- Command line based toolkit for image analysis and file recovery - Popular forensic Suite

Answer 45

Sleuth Kit

Question 46

GUI-based program that provides forensic image analysis capabilities

Answer 46

Autopsy

Question 47

Pair of commercial forensic tools

Answer 47

Helix 3 Enterprise and Pro

Question 48

Provides dedicated mobile forensic features designed to capture, analyze, and report on data from phones and other mobile devices

Answer 48

Cellebrite’s UFED